Operation Ke3chang, the advanced persistent threat (APT) that in 2013 was discovered targeting Europe-based Ministries of Foreign Affairs, not only apparently remains active but also seems to be leveraging a new family of malware called TidePool.
Palo Alto Networks reported yesterday that researchers within its Unit 42 research team recently uncovered a malware-based cyberespionage campaign launched against Indian embassies, worldwide. Victims are infected via spoofed phishing emails containing attachments of TidePool, a malicious program featuring a code base and certain behaviors that largely overlap with Ke3chang's previous malware of choice, a program called BS2005.
According to Unit 42, TidePool is a remote access trojan (RAT) that allows attackers to read, write and delete files, as well as silently run commands. The malware opens by default in Microsoft Word and exploits a Microsoft Office vulnerability that allows remote attackers to execute code via crafted EPS (Encapsulated PostScript) images. Like BS2005, malware appears to be Chinese in origin.
