Home Malware Programs Backdoors Ketrum Backdoor

Ketrum Backdoor

Posted: May 27, 2020

Ketrican and Okrum are two of the most frequently used backdoors by Ke3chang, a state-sponsored threat actors believed to operate from China. The Ke3chang Advanced Persistent Threat (APT) group is related to several high-profile attacks against diplomatic missions, government entities and various organizations worldwide. It would seem that the Chinese hackers have opted to use the already available resources to craft a new backdoor that combines the best features of Okrum and Ketrican, thus creating Ketrum.

Just like other tools used by Ke3chang, the Ketrum Backdoor also is kept as minimalistic as possible – in fact, some versions of the malware appear to have some of their features removed to keep it smaller and less noisy. The first versions of Ketrum were detected in January 2020, and they were connected to a control server based in China – however, the server appears to be offline now.

The Ketrum Backdoor Takes the Best from Ketrican and Okrum

The base features of the Ketrum Backdoor allow it to:

  • Execute remote commands.
  • Abuse the Windows PowerShell utility.
  • Upload and execute files.
  • Download files from the Internet.
  • Initialize a 'sleep mode' that suspends the backdoor's activity for a period.

Surprisingly, the Ketrum Backdoor is missing one of the signature features of Ke3chang malware – it cannot take snapshots of the infected system. Just like in previous Ke3chang attacks, the Ketrum Backdoor also is being spread with the assistance of phishing emails that contain fraudulent attachments.

Loading...