New Okrum Malware Used by Ke3chang Group to Target Diplomats


New Okrum Malware Used by Ke3chang Group to Target Diplomats (Jul 18, 2019)

ESET researchers, while monitoring Chinese Advanced Persistent Threat (APT) group Ke3chang between 2015 and 2019, have discovered updated malware implants and a new backdoor named “Okrum.” The cyberespionage activities of the Ke3chang advanced persistent threat group (also known as APT15) span over almost a decade, going back as far as 2010, according to FireEye researchers. The threat group's primary targets are entities from the oil industry, military, government contractors, as well as European diplomatic missions and organizations. As of this writing, the initial infection vector for Okrum is unknown. After being dropped on a target's computer, the Okrum implant can gain admin rights by calling the ImpersonateLoggedOnUser API, and it will start collecting computer information such as build number, computer name, host IP address, OS version, primary DNS suffix value, and user name. Once in the system, the Ke3chang actors will use and abuse a wide variety of other tools to achieve their goals, from password dumpers and network sessions enumerators to keyloggers.

Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of phishing, and how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.