RoyalDNS

The Ke3chang hacking group (or as some refer to it APT15) is a Chinese hacking group that has been active since 2012. These malicious actors tend to concentrate their efforts on very high-end targets, which are usually located either in South America or in Europe. Government institutions and large corporations in the military and oil industries have fallen victim to the APT15 (Advanced Persistent Threat). This hacking group has an impressive arsenal of hacking tools, which they make sure to update periodically. One of their most prominent tools is called the RoyalDNS backdoor. The Ke3chang hacking group has utilized this threat in operations targeting corporations and politicians in the Czech Republic and Slovakia, as well as government bodies in the United Kingdom. The RoyalDNS backdoor has been present in campaigns against various targets located in South America too.

Persistence and Functionality

Instead of tampering with the Windows Registry, the RoyalDNS malware would use the ‘NWSAPAGENT’ (NetMeeting Remote Desktop Agent) service to gain persistence. This would guarantee that the RoyalDNS backdoor will be relaunched every time the PC is rebooted. The RoyalDNS backdoor is built to serve as a data-gathering tool mainly. This malware generally tends to collect information regarding:

• Network configurations.
• Directories.
• Username.
• Hard drive parts.
• Connected devices.

Connects to C&C via DNS Protocol

Usually, malware threats establish an HTTP connection to communicate with the control server. However, RoyalDNS has an exciting & alternative technique for communication - it relies on specially crafted DNS requests to retrieve commands from the server. This, however, means that the RoyalDNS backdoor’s capability to cause serious damage is very limited, and this is why it is used as a tool for espionage mainly.

The Ke3chang APT is not likely to seize activity any time soon, and they tend to introduce upgrades to their hacking tools, which further weaponize them. You should make sure to download and install a legitimate anti-spyware software suite, which will keep your system and your data safe from predators like the Ke3chang hacking group.