The international antivirus company ESET discovered a new modification of the Okrum backdoor.
Analysis of the samples suggests that they are part of the Ke3chang hacker group (also known as APT15) arsenal.Despite Okrum technical simplicity, attackers are able to hide its presence. For example, the malware loader hidden in a PNG file, and additional encrypted files are not visible to the user. Backdoor operators also hide malicious traffic using the C & C server.
“Some of the malicious samples used against Slovak companies were associated with the domain that imitated the Slovak cartographic portal,” – said Eset expert Zuzana Hromcova.
Okrum was first detected in December 2016. During 2017, the backdoor was used for targeted attacks on diplomatic missions and government agencies in Slovakia, Belgium, Brazil, Chile and Guatemala.
At the same time, attackers targeted organizations that had been previously affected by another malware family called Ketrican.
Read also: Malicious versions of WinRAR, Winbox and IDM distribute StrongPity spyware
The Ketrican backdoor was fixed in 2015 – when ESET noticed suspicious activity in Slovakia, Croatia, the Czech Republic and a number of other countries. After analyzing the malware samples, the experts decided that they belong to the Ke3chang constellation set. In subsequent years, Eset recorded the appearance of new versions of this backdoor.
“We found out that the Okrum and Ketrican malwares were used in attacks on the same diplomatic agencies. The grouping is still active – in March 2019 we fixed another Ketrican sample,” – said Eset expert Zuzana Hromcova.
Cybercriminals from Ke3chang have been active since at least 2010. The goal of hackers is spying for diplomatic organizations in Europe.