Changing of the TidePool: Operation Ke3chang malware evolves as APT threat reappears

Operation Ke3chang, the APT that was discovered targeting Europe-based Ministries of Foreign Affairs, not only apparently remains active but also seems to be leveraging a new family of malware called TidePool.

Palo Alto Networks reported Sunday that researchers within its Unit 42 research team recently uncovered a malware-based cyber-espionage campaign launched against Indian embassies, worldwide. Victims are infected via spoofed phishing emails containing attachments of TidePool, a malicious programme featuring a code base and certain behaviours that largely overlap with Ke3chang's previous malware of choice, a programme called BS2005.

According to Unit 42, TidePool is a remote access trojan (RAT) that allows attackers to read, write and delete files, as well as silently run commands. The malware opens by default in Microsoft Word and exploits a Microsoft Office vulnerability that allows remote attackers to execute code via crafted EPS (Encapsulated PostScript) images. Like BS2005, malware appears to be Chinese in origin.