Ke3chang APT group drops Okrum backdoor bomb on diplomatic targets

News by Davey Winder

New versions of malware families linked to the Ke3chang APT group that operates out of China is being used to target political figures in Eastern Europe and the Americas

New research reveals the latest tools and techniques used by a notorious Advanced Persistent Threat (APT) actor, the Ke3chang group, to target diplomats. SC Media UK has been wondering whether the enterprise should be worried about APTs as well.

Researchers from ESET have revealed new versions of malware families linked to the Ke3chang APT group that operates out of China, along with a previously unreported backdoor, being used to target political figures in both Eastern Europe and the Americas. 

The 'Overview of recent Ke3chang group activity' white paper, confirms that it has been tracking the APT since 2015. It also reveals that the group has been using an updated version of its Ketrican malware along with a new backdoor called Okrum. 

Zuzana Hromcova, the researcher at ESET who authored the report, says that "Okrum is not technically complex, but we can certainly see that the malicious actors behind it were trying to remain undetected by using tactics such as embedding the malicious payload within a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, as well as making frequent changes in implementation." Given that the likely motivation is a cyber-espionage one, this should come as no surprise. 

Nor should the fact that the malware does everything it can to avoid being run within a sandboxed environment, including such things as requiring three mouse clicks before any payload is delivered and using the GetTickCount function before and after a loop with 999,999,990 iterations of incrementing a value. "If the returned value doesn’t change between calls," Hromcova writes, "emulation or a sandbox is detected and the process terminates itself."

Okrum has been seen in use targeting diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and Brazil, with the attackers "showing a particular interest in Slovakia" according to ESET.

"The Okrum backdoor is a dynamic-link library that is installed and loaded by two earlier-stage components. During our investigation, the implementation of these two components was being changed frequently. Every few months, the authors actively changed implementation of the Okrum loader and installer components to avoid detection". Hromcova writes in a blog about her research,  "ESET systems have detected seven different versions of the loader component and two versions of the installer, although the functionality remained the same."

All of which is very interesting, and equally worrying if you are a diplomat outside of China. But what threat do these kind of Advanced Persistent Threat groups pose to the average enterprise? Has the term APT just become a vendor-driven buzzword bingo high scorer that actually translates into FUD most of the time?

SC Media UK put that proposition to Ed Williams, director EMEA of SpiderLabs at Trustwave. "When thinking about the term APT we should be considering how this term helps the defenders," Williams says. Which makes the APT threat, according to Williams, absolutely relevant to all enterprises and not just government bodies. "When looking to increase an organisation's maturity," he explains "the initial goal should be to remove any low hanging fruit, and really make an attacker’s job as difficult as possible."

Justin Warner, director of Gigamon Applied Threat Research, told SC Media UK that "within Gigamon ATR, we have seen persistent threats unpredictably target and compromise organisations, sometimes just using them as a means of obfuscation to their real target." That the objectives or intent of the adversary is often not as predictable as it would seem, makes modeling of threats all the more important according to Warner. "With that said," he concludes "the reaction from the security industry in regards to the term is valid as the phrase itself has become commoditised and hyped for marketing purposes; the devil is in the details."

We will leave the last word to Dave Klein, senior director of engineering and architecture at Guardicore, who prefers the phrase "wildly abused," referring primarily to a confused focus on the advanced part of the APT acronym. Klein doubts that attackers, regardless of whether they are state-espionage, industrial espionage oriented or criminals, will use their top notch tools when old, tried and trusted methods still work off the shelf. "The core success of any targeted attack is in fact persistence and willingness to use any tools to get the job done," Klein continues, adding "the average enterprise is at risk from a very long list of threats, few of them advanced."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews