Threat Watch

Chinese APT Creates Ketrum Malware

Ke3chang (China): Researchers from Intezer linked newly-found samples of malware, dubbed Ketrum, to the Chinese Advanced Persistent Threat (APT) Ke3chang (also known as APT15) by noticing some of the code used to build the Ketrum backdoor is reused from both the old Ketrican and Okrum backdoors. The analyzed samples showed that the threat actors have not deviated in their tactics, techniques, and procedures from when they were first discovered in 2010. The new backdoor follows the same principles of the old backdoor by supplying the attackers the same simple features, giving the attackers the ability to take control of a targeted device, connect it to a remote server, and manually go through other steps of the operation. The malware was connecting to a Chinese-based Command and Control (C2) server but ceased operation in mid-May when the first samples of Ketrum were discovered. Two separate variants of Ketrum were analyzed, and both used low-level implementation and system APIs, but differences were discovered between the APIs that each version was using.


Ke3chang has been able to evade detection on many of their backdoors by continually switching around basic functions, which has been working for the group for years. The threat actor is responsible for multiple backdoors since their original discovery. The group’s operations target a wide range of military and oil entities, government contractors, and European diplomatic missions and organizations. Since the group likes to morph their code often, detecting these backdoors can be hard for defenders who do not have the right security precautions in place. Utilizing a product like Binary Defenses Managed Detection and Response (MDR) can assist with monitoring networks and devices throughout organizations, finding attacks quickly through analysis of unusual behavior, and alerting to any intrusion.