ESET researchers linked the Ke3chang APT group to the newly discovered Okrum backdoor showing the group is still active and improving its code.
Researchers have since discovered new versions of malware families linked to the Ke3chang group and believe the group is operating out of China. Overtime, the Ketrican, Okrum and RoyalDNS backdoors have all been linked to the threat group.
The Okrum backdoor was first detected in December 2016 and has targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and Brazil throughout 2017, according to a July 18 blog post.
“Our analysis of the links between previously documented Ke3chang malware and the newly discovered Okrum backdoor lets us claim with high confidence that Okrum is operated by the Ke3chang group,” researchers wrote. “Having documented Ke3chang group activity from 2015 to 2019, we conclude that the group continues to be active and works on improving its code over time.”
Researchers said Okrum is linked to Ketrican backdoors that were used to drop a Ketrican backdoor compiled in 2017. The Okrum backdoor is a dynamic-link library that is installed and loaded by two earlier-stage components ..
Support the originator by clicking the read the rest link below.
