Ke3chang (China): Researchers from Intezer linked newly-found samples of malware, dubbed Ketrum, to the Chinese Advanced Persistent Threat (APT) Ke3chang (also known as APT15) by noticing some of the code used to build the Ketrum backdoor is reused from both the old Ketrican and Okrum backdoors. The analyzed samples showed that the threat actors have not deviated in their tactics, techniques, and procedures from when they were first discovered in 2010. The new backdoor follows the same principles of the old backdoor by supplying the attackers the same simple features, giving the attackers the ability to take control of a targeted device, connect it to a remote server, and manually go through other steps of the operation. The malware was connecting to a Chinese-based Command and Control (C2) server but ceased operation in mid-May when the first samples of Ketrum were discovered. Two separate variants of Ketrum were analyzed, and both used low-level implementation and system APIs, but differences were discovered between the APIs that each version was using.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in