Ketrican

Ketrican is a backdoor Trojan that can conduct attacks against your PC, as per commands from its remote administrator. This Trojan is a tool of the Ke3chang APT, and infections are most likely of occurring in government diplomatic networks. Admins should maintain the usual safety protocols, and all users should have anti-malware services available for removing Ketrican or detecting any installation attempts.

Following the Ketrican Monitoring Timeline

Although the BS2005 backdoor Trojans of Ke3chang APT's previous preference are waning in their deployments, this subsiding only makes way for replacement Trojans in the threat actor's kit. Ketrican is the most likely, immediate successor, since it has various elements in common with BS2005, and grows the focus on backdoor attacks with an increasing emphasis on dodging old detection countermeasures. Like the other Trojans in use by Ke3chang, its presence corresponds with attempted monitoring via software directly – usually, against diplomatic entities.

Malware researchers can trace the first, definitive appearance of Ketrican back to 2015, and it maintains its live-deploying status, as of 2019. However, new versions of Ketrican appear semi-regularly, without extreme changes in its payload, but with subtle, internal improvements. Even its infection vectors are highly variable, since some, but far from all versions of Ketrican experience installation by another backdoor Trojan, by the name of Okrun.

All versions of Ketrican carry anti-emulation features, can accept shell commands for downloading files or changing the system's settings, and hide their network traffic with disguises like hijacking an Internet Explorer process. Furthermore, a 2018 version of Ketrican includes a DLL-loading feature – not present in the old builds – and can modify the Windows Registry for anti-security purposes. Lastly, a current-year release of Ketrican uses a less 'noisy' form of CMD implementation than previously, which limits the program to a single process, instead of spawning new ones for each command.

Slamming Shut Your Network's Open Door

Many of the changes that the cyber-security industry takes note of throughout Ketrican's lifespan are technical ones, such as swapping its internal encryption algorithm or sharing commands and C&C-contacting methodology with BS2005 campaigns. For the victims of its attacks, the overall conclusion is that Ketrican is well-maintained and routinely-updated for maximizing its potential for letting an attacker into a network for monitoring and controlling it. Although malware researchers don't have hard information on all its infection strategies, it's apparent that Ketrican rarely operates 'solo.'

Network administrators should update software for keeping any presence of exploitable vulnerabilities minimal. The use of shared, weak, or default login credentials, also, can correspond with brute-force attacks that could result in Ketrican's delivery to the target. Lastly, all employees should be capable of recognizing phishing attacks through e-mail or other means, which may carry harmful attachments and links.

Since Ketrican is a high-level threat with significant investment in its stealth features, users shouldn't anticipate symptoms or visible attacks. Anti-malware programs may delete Ketrican or block its delivery methods, and appropriate firewall policies may hinder its C&C communications.

For those interested in learning more, researchers at ESET are providing in-depth resources on Ketrican's chronology of deployment and its evolution over the years. Thankfully, the average Windows owner isn't a subject of sufficient interest for inviting an attack from the Ke3chang APT.