ESET researchers linked the Ke3chang APT group to the newly discovered Okrum backdoor showing the group is still active and improving its code.
Researchers have since discovered new versions of malware families linked to the Ke3chang group and believe the group is operating out of China. Overtime, the Ketrican, Okrum and RoyalDNS backdoors have all been linked to the threat group.
The Okrum backdoor was first detected in December 2016 and has targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and Brazil throughout 2017, according to a July 18 blog post.
“Our analysis of the links between previously documented Ke3chang malware and the newly discovered Okrum backdoor lets us claim with high confidence that Okrum is operated by the Ke3chang group,” researchers wrote. “Having documented Ke3chang group activity from 2015 to 2019, we conclude that the group continues to be active and works on improving its code over time.”
Researchers said Okrum is linked to Ketrican backdoors that were used to drop a Ketrican backdoor compiled in 2017. The Okrum backdoor is a dynamic-link library that is installed and loaded by two earlier-stage components whose payload is hidden in a PNG file.
In addition, Okrum has a similar modus operandi as the Ke3chang malware and is equipped with a basic set of backdoor commands. The malware relies on manually typing shell commands and executing external tools for most of its malicious activity.
All three backdoors target the same type of organizations with some of the entities affected by Okrum were also targeted with one or more of Ketrican/RoyalDNS backdoors.