Ke3chang

Ke3chang or K3chang is a China-based threat actor that conducts espionage-related hackings. This group uses both custom Trojans, ones with backdoor and remote admin features primarily, and third-party utilities, such as spyware and Windows system tools. Business and government entities should maintain stringent network security and keep anti-malware services on hand for removing all threats related to Ke3chang's attacks.

The Countless Backdoors at One Organization's Beck and Call

What software a hacker uses in his or her attacks, often, comes down to the availability of personal resources. One of the differences between individuals as threat actors and state-sponsored (or equivalently well-funded) criminal entities is how deep this wellspring of threatening software goes. For instance, in Ke3chang's case, the group expresses a deep-seated familiarity with an impressive variety of Trojans, spyware, and other applications.

Ke3chang is a threat actor with explicitly intelligence-gathering motives at the heart of its campaigns. Over the years, from 2015 onwards, it has targeting entities throughout the world, including diplomatic embassies, energy companies, and military networks in Europe, South America, and elsewhere. Although Ke3chang is highly stealth-oriented and malware researchers can't confirm all infection vectors at work, they do outline Ke3chang's consistent use of network traversal strategies and, in some instances, phishing attacks.

Philosophically, Ke3chang is a firm believer in redundancy and rotating through a range of similarly-purposed programs for remote-control and data-collecting purposes. Some of the most notorious threats that it wields as custom tools include:

• RoyalDNS
• Ketrican
• Okrum
• BS2005

The last of these threats is a Remote Administration Trojan or RAT, while the others are backdoor Trojans. They provide system command-based infiltration of a system and, optionally, download other software.

However, malware researchers stress Ke3chang's willingness to deploy more generic tools afterward equally, such as the Mimikatz password collector, keyloggers, the Tasklist process displayer, and the Netstat connection analyzer, among others. Overall, the theme is one of compromising network-connected systems and exfiltrating information, including credentials and files.

Don't Let Your Guard Down after Repelling These Hackers

While less-disciplined threat actors might suffer from dissuasion after the successful disinfection and resolution of one attempt at network invasion, Ke3chang's history implies a more determined mindset. They routinely issue patches for their threats and will attempt to reinfect targets as necessary. In at least one case, the updated threat that it deployed included additional certificate authentication, which the attacker stole from the victim in the first place.

Best practices for network administration are crucial parts of avoiding and mitigating Ke3chang infections and the associated theft of data. Malware researchers also recommend all employees have training in identifying possible phishing attempts, which may occur over e-mail or social messaging platforms. Most users will endanger themselves through interactions with corrupted documents or links.

Due to their emphasis on avoiding detection, symptoms of any threats that Ke3chang deploys are minor. All users should depend on their anti-malware services or appropriate PC security experts for removing Ke3chang's RATs, spyware, and associated programs.

With four years of thriving under its belt quietly, Ke3chang is proving itself as a long-term entity in the threat landscape. Whether one calls it Playful Vixen, Mirage, or APT15, it's a group that's defining its legacy as being unwanted intelligence leaks to governments and infrastructural businesses worldwide.