ESET discovers new malware project of the elusive Ke3chang APT group
Sydney, Australia – ESET researchers have discovered new versions of malware families linked to the elusive Ke3chang group, along with a previously unreported backdoor. ESET has been tracking the APT group, which is believed to be operating out of China, for several years.
The newly discovered backdoor, named Okrum by ESET, was first detected in late 2016 and throughout 2017. It was used to target diplomatic missions and governmental institutions in Belgium, Slovakia, Brazil, Chile and Guatemala. Furthermore, since 2015, ESET has continued to detect new versions of known malware families attributed to the Ke3chang group.
In research going back to 2015, ESET identified new suspicious activities in European countries. The group behind the attacks seemed to have particular interest in Slovakia, but Croatia, the Czech Republic and other countries were also affected. Analyzing the malware used in these attacks, ESET researchers found that it was linked to known malware families attributed to the Ke3chang group, and dubbed these new versions Ketrican.
In late 2016, the researchers discovered a new, previously unknown backdoor, which aimed for the same targets in Slovakia that were previously targeted by the Ketrican backdoors in 2015. The backdoor, which they dubbed Okrum, continued to be active throughout 2017.
“We started connecting the dots when we discovered that the Okrum backdoor was used to drop a Ketrican backdoor, compiled in 2017. On top of that, we found that some diplomatic entities that were affected by the Okrum malware and the 2015 Ketrican backdoors were also affected by 2017 Ketrican backdoors,” says Zuzana Hromcova, the ESET researcher who made the discoveries. “The group remains active in 2019 – in March, we detected a new Ketrican sample,” she remarked on the most recent activities of the notoriously elusive group.
The ESET investigation provides evidence attributing the newly discovered backdoor to the Ke3chang group. Besides the shared targets, Okrum has a similar modus operandi as previously documented Ke3chang malware. For example, Okrum is only equipped with basic backdoor commands and relies on manually typing shell commands and executing external tools for most of its malicious activity, which is a standard modus operandi of the Ke3chang group across its previously investigated campaigns.
Despite the malware not being technically complex, we can certainly see that the malicious actors behind Okrum were trying to remain undetected. We have recorded several detection evasion techniques in the Okrum malware.
The payload itself is hidden in a PNG file. When the file is viewed in an image viewer, an innocuous-looking PNG image is displayed, but the Okrum loaders are able to locate an extra encrypted file that the user cannot see.
Also, the operators of the malware tried to hide malicious traffic with its Command & Control server within regular network traffic by registering seemingly legitimate domain names. “For example, the samples used against Slovak targets communicated with a domain name mimicking a Slovak map portal,” says Hromcova.
Additionally, every few months, the authors actively changed implementation of the Okrum loader and installer components to avoid detection. At the time of publication, ESET systems had detected seven different versions of the loader component and two versions of the installer, although the functionality remained the same.
For technical analysis and more details on the connections, read the white paper Okrum and Ketrican: An overview of recent Ke3chang group activity and the blog post Okrum: Ke3chang group targets diplomatic missions on WeLiveSecurity.com.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.
Sydney, Australia – Cases of cryptocurrency mining and cryptojacking will continue to grow in 2019, as attackers target smart devices and home assistants to build cryptomining farms, according to ESET’s latest trends report. Along with cryptomining, Cybersecurity Trends 2019: Privacy and intrusion in the global village details the predictions of top experts from the global cybersecurity firm, revealing the cybersecurity trends set to impact businesses in 2019.
Trend #1: Cryptomining continues to rise
Cryptocurrency mining beat ransomware in terms of media attention in the past year and cryptojacking – the process by which a device is hi-jacked illegitimately – “shows no signs of slowing down”, according to ESET Senior Security Researcher David Harley.
Commenting on this trend, Harley said that, “We can also expect to see more coin-mining software attempting to remove competing coinminers on compromised systems in order to get a higher-calorie slice of the processing pie.”
An increase in the adoption of cryptocurrencies, as well as a rise in the number of devices connected to the internet, could also mean that smart devices and homes assistants become the entry point for attackers to build cryptomining farms in 2019. Cyberattacks specifically designed to attack IoT devices, such as automated scripts that exploit vulnerabilities in connected devices or processes that are designed to take control of them, will become more frequent.
Trend #2: Data privacy will make or break companies
In 2018, issues around data privacy and protection came sharply into focus following a number of high-profile cyberattacks, data leaks and privacy missteps, as well as the implementation of GDPR. ESET Senior Security Researchers Stephen Cobb and Lysa Myers commented that in light of incidents such as Cambridge Analytica, we are likely to see people searching for alternatives to the platforms such as Facebook that currently dominate. Given the importance of customer data to companies, individuals, and to cybercriminals, ESET argues that the ability to properly manage data privacy could decide which companies stay in business in 2019.
Trend #3: Attackers use automation to advance social engineering campaigns
ESET asserts that 2019 will see an increase in cybercriminals’ use of automation in attempts to collect more data so that they can launch more personalised and sophisticated social engineering campaigns.
Lysa Myers, ESET Senior Security Researcher, writes that, “While some phishing and other fraud attacks have certainly improved their ability to mimic legitimate sources, many are still painfully obvious fakes. Machine learning could help increase effectiveness in this area.”
Trend #4: A move towards a global privacy law?
Following the implementation of GDPR, ESET questions whether the EU legislation is the first step towards a global privacy law, particularly as similar models start to appear in California, Brazil, and Japan. Considering this, ESET warns against dismissing privacy rights and data protection as an EU anomaly. The pressure to protect customers’ data and ensure the privacy of sensitive information is a global issue and will certainly encourage a move towards GDPR-style privacy around the world.
For more on the trends set to impact the industry in 2019, read ESET’s Cybersecurity Trends 2019: The Cost of our Connected World.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security, to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real-time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET becomes the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information visit https://www.eset.com/au/ or follow us on LinkedIn, Facebook and Twitter.
The latest edition provides improved protection, faster installation and a new personalised security report.
Sydney, Australia – The latest versions of ESET NOD32 Antivirus, ESET Internet Security and ESET Smart Security Premium, that offer fortified multilayered protection, enhanced IoT protection, product referral and a new security report feature, have been released. Users can rely on the best balance of speed, detection and usability acknowledged by multiple testing bodies to protect their constantly-connected devices.
It’s predicted that by 2025, there will be over 75 billion connected devices worldwide – from smart home devices to e-health gadgets – this poses a real threat to cybersecurity. As more connected devices are introduced to everyday life, the amount of personal and sensitive data shared increases, as does the number of entry points into networks.
“Hackers will use this rise in the number of internet-connected devices to their advantage and users, therefore, cannot afford to neglect taking security measures. The addition of IoT protection to our home user product suite means our customers can be safe in the knowledge that their devices, and the home routers they connect to, are properly secured,” says Matej Krištofík, Product Manager at ESET.
Similar to previous years, to fight all these threats users can choose from ESET NOD32 Antivirus for basic protection, ESET Internet Security with additional layers of security on top of the basic anti-malware solution, and ESET Smart Security Premium for users seeking the most advanced protection and features on the market. This includes technologies such as password manager and banking protection.
Built on machine learning and three decades of knowledge – all ESET products run unnoticed in the background. The key offering provides users with comfortable and ultra-fast scanning without impacting the operating system or their experience.
“We built our products to provide an advantage over native Windows protection to show users how a multilayered approach to cybersecurity can battle the toughest of threats out there,” said Krištofík.
The latest version offers new features as well as improvements to existing ones including:
- Product recommendation (referral) – a new feature that gives all ESET users an option to recommend our product to family or friends. Trial users are rewarded – one friend referral equals one more month of protection for free
- Security report – provides users with an overview of what ESET‘s solution has been actively detecting, blocking and mitigating in the background, while users‘ computers run smoothly without any performance lag. Users can choose from five pre-set items based on user-given priorities and gain insight into other features such as secure data, password manager, anti-theft or parental control
- Improved installation – users save up to 40 per cent on the installation time based on the set up of the device. The installation of new ESET products will now only take a couple of seconds
Connected home monitor – now allows users to test router-connected smart devices for vulnerabilities such as weak passwords and suggests possible fixes. It also allows users to scan for port vulnerabilities known firmware vulnerabilities, malicious domains, weak or default router password and malware infections
GDPR Compliance – all ESET products are GDPR compliant.
ESET’s latest solutions Users can rely on the best balance of speed, detection and usability acknowledged by multiple testing bodies to protect their constantly-connected devices.re now available to the public. You can find out more by visiting the dedicated landing page here.