1. Home
  2. Groups
  3. Ke3chang

Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

ID: G0004
Associated Groups: APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, Nylon Typhoon
Contributors: Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Hiroki Nagahama, NEC Corporation
Version: 3.0
Created: 31 May 2017
Last Modified: 08 January 2024

Associated Group Descriptions

Name Description
APT15

[2]
Mirage

[2]
Vixen Panda

[2][3]
GREF

[2]
Playful Dragon

[2][3]
RoyalAPT

[3]
NICKEL

[4]
Nylon Typhoon

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1213 .002 从信息存储库获取数据: Sharepoint

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2]
Enterprise T1005 从本地系统获取数据

Ke3chang gathered information and files from local directories for exfiltration.[1][4]
Enterprise T1036 .002 伪装: Right-to-Left Override

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1]
.005 伪装: Match Legitimate Name or Location

Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe, C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe, C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe, and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe.[4]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.[2]
Enterprise T1190 利用公开应用程序漏洞

Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.[4]
Enterprise T1140 反混淆/解码文件或信息

Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.[4]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Several Ke3chang backdoors achieved persistence by adding a Run key.[2]
Enterprise T1059 命令与脚本解释器

Malware used by Ke3chang can run commands on the command-line interface.[1][2]
.003 Windows Command Shell

Ke3chang has used batch scripts in its malware to install persistence mechanisms.[2]
Enterprise T1133 外部远程服务

Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.[2][4]
Enterprise T1071 .001 应用层协议: Web Protocols

Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[2][4]
.004 应用层协议: DNS

Ke3chang malware RoyalDNS has used DNS for C2.[2]
Enterprise T1587 .001 开发能力: Malware

Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.[4]
Enterprise T1560 归档收集数据

The Ke3chang group has been known to compress data before exfiltration.[1]
.001 Archive via Utility

Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.[1][4]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Ke3chang has dumped credentials, including by using Mimikatz.[1][2][4]
.002 操作系统凭证转储: Security Account Manager

Ke3chang has dumped credentials, including by using gsecdump.[1][2]
.003 操作系统凭证转储: NTDS

Ke3chang has used NTDSDump and other password dumping tools to gather credentials.[4]
.004 操作系统凭证转储: LSA Secrets

Ke3chang has dumped credentials, including by using gsecdump.[1][2]
Enterprise T1083 文件和目录发现

Ke3chang uses command-line interaction to search files and directories.[1][4]
Enterprise T1078 有效账户

Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.[4]
.004 Cloud Accounts

Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.[4]
Enterprise T1069 .002 权限组发现: Domain Groups

Ke3chang performs discovery of permission groups net group /domain.[1]
Enterprise T1027 混淆文件或信息

Ke3chang has used Base64-encoded shellcode strings.[4]
Enterprise T1114 .002 电子邮件收集: Remote Email Collection

Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.[2][4]
Enterprise T1558 .001 窃取或伪造Kerberos票据: Golden Ticket

Ke3chang has used Mimikatz to generate Kerberos golden tickets.[2]
Enterprise T1614 .001 系统位置发现: System Language Discovery

Ke3chang has used implants to collect the system language ID of a compromised machine.[4]
Enterprise T1082 系统信息发现

Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.[1][2][4]
Enterprise T1033 系统所有者/用户发现

Ke3chang has used implants capable of collecting the signed-in username.[4]
Enterprise T1569 .002 系统服务: Service Execution

Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2]
Enterprise T1007 系统服务发现

Ke3chang performs service discovery using net start commands.[1]
Enterprise T1049 系统网络连接发现

Ke3chang performs local network connection discovery using netstat.[1][2]
Enterprise T1016 系统网络配置发现

Ke3chang has performed local network configuration discovery using ipconfig.[1][2][4]
Enterprise T1119 自动化收集

Ke3chang has performed frequent and scheduled data collection from victim networks.[4]
Enterprise T1020 自动化渗出

Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.[4]
Enterprise T1588 .002 获取能力: Tool

Ke3chang has obtained and used tools such as Mimikatz.[2]
Enterprise T1087 .001 账号发现: Local Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]
.002 账号发现: Domain Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]
Enterprise T1105 输入工具传输

Ke3chang has used tools to download files to compromised machines.[4]
Enterprise T1056 .001 输入捕获: Keylogging

Ke3chang has used keyloggers.[2][4]
Enterprise T1057 进程发现

Ke3chang performs process discovery using tasklist commands.[1][2]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2]
Enterprise T1018 远程系统发现

Ke3chang has used network scanning and enumeration tools, including Ping.[2]
Enterprise T1041 通过C2信道渗出

Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1]

Software

ID Name References Techniques
S0100 ipconfig [1][2] 系统网络配置发现
S0002 Mimikatz [2][4] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0280 MirageFox [3] 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 系统信息发现, 系统所有者/用户发现
S0691 Neoichor [4] 从本地系统获取数据, 修改注册表, 应用层协议: Web Protocols, 移除指标, 系统位置发现: System Language Discovery, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现: Internet Connection Discovery, 系统网络配置发现, 输入工具传输, 进程间通信: Component Object Model
S0039 Net [1][2] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104 netstat [1][2] 系统网络连接发现
S0439 Okrum [6] 代理: External Proxy, 伪装: Masquerade Task or Service, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 归档收集数据: Archive via Custom Method, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: LSASS Memory, 数据混淆, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 混淆文件或信息: Steganography, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 虚拟化/沙盒规避: System Checks, 虚拟化/沙盒规避: User Activity Based Checks, 虚拟化/沙盒规避: Time Based Evasion, 访问令牌操控: Token Impersonation/Theft, 输入工具传输, 输入捕获: Keylogging, 通过C2信道渗出, 隐藏伪装: Hidden Files and Directories, 预定任务/作业: Scheduled Task
S0097 Ping [2] 远程系统发现
S0227 spwebmember [2] 从信息存储库获取数据: Sharepoint
S0096 Systeminfo [1][2] 系统信息发现
S0057 Tasklist [2] 系统服务发现, 软件发现: Security Software Discovery, 进程发现

References

  1. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  2. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  3. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  1. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.