ESET researchers linked the Ke3chang APT group to the newly discovered Okrum backdoor showing the group is still active and improving its code.
Researchers have since discovered new versions of malware families
linked to the Ke3chang group and believe the group is operating out of
China. Overtime, the Ketrican, Okrum and RoyalDNS backdoors have all
been linked to the threat group.
The Okrum backdoor was first detected in December 2016 and has
targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and
Brazil throughout 2017, according to a July 18 blog post.
“Our analysis of the links between previously documented Ke3chang
malware and the newly discovered Okrum backdoor lets us claim with high
confidence that Okrum is operated by the Ke3chang group,” researchers
wrote. “Having documented Ke3chang group activity from 2015 to 2019, we
conclude that the group continues to be active and works on improving
its code over time.”
Researchers said Okrum is linked to Ketrican backdoors that were used
to drop a Ketrican backdoor compiled in 2017. The Okrum backdoor is a
dynamic-link library that is installed and loaded by two earlier-stage
components whose payload is hidden in a PNG file.
In addition, Okrum has a similar modus operandi as the Ke3chang
malware and is equipped with a basic set of backdoor commands. The
malware relies on manually typing shell commands and executing external
tools for most of its malicious activity.
All three backdoors target the same type of organizations with some of the entities affected by Okrum were also targeted with one or more of Ketrican/RoyalDNS backdoors.