Ke3chang (also known as APT15) is an Advanced Persistent Threat group that is believed to operate from China. Cybersecurity experts keeping track on Ke3chang's campaigns have noticed similarities in the infrastructure, payloads, and strategies used by this group and other China-based groups such as Mirage, Vixen Panda, GREF, Playful Dragon and RoyalAPT – it is possible that the Ke3chang actors may share information and members with the groups mentioned above.
Ke3chang Operates in Different Industries
The Ke3chang group's campaigns are targeted towards different sectors and regions – they have launched attacks against diplomatic missions, government institutions, and individuals, as well as acted against the oil, military and other industries. While some APT actors rely on abusing public tools and services for harmful purposes, the Ke3chang actors rely on custom-built malware almost exclusively – they are associated with the BS2005, Ketrican, Okrum, TidePool, and RoyalDNS malware families. One of the public tools that the Ke3chang actors use to dump credentials from their victims is Mimikatz.
Ke3chang Has Been Active for Nearly 10 Years
One of the first operations linked to Ke3chang dates back to 2010 when the group targeted government officials in Europe. At later stages, the group was involved in other high-profile attacks against diplomatic missions in South America and Europe. The group specializes in reconnaissance operations that serve several purposes:
- Provide attackers with access to critical infrastructure by helping them understand more details about the network configuration and potential attack vectors.
- Extract information (documents, login credentials, conversations, etc.).
- Use their escalated privileges on a compromised system to launch attacks against other computers on the same network.
Okrum is the most advanced piece of malware that the Ke3chang group has been observed to use. They use several methods to propagate it, the most impressive of which involves the use of steganography – the corrupted script used to drop the Okrum backdoor Trojan is loaded into a specially-crafted PNG image file.
Ke3chang's attacks usually aim to gain persistence on the remote system and enable the attackers to exfiltrate data for long periods. Their tools often pack keylogger modules and the ability to take screenshots, dump login credentials and enumerate files and folders. Ke3chang's tools also employ advanced anti-emulation and anti-debugging features that help them evade anti-virus engines and sandbox environments.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Ke3chang may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.