1. Home
  2. Groups
  3. Ke3chang

Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

ID: G0004
Associated Groups: APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL
Contributors: Pooja Natarajan, NEC Corporation India
Version: 2.0
Created: 31 May 2017
Last Modified: 19 April 2022

Associated Group Descriptions

Name Description
APT15

[2]
Mirage

[2]
Vixen Panda

[2][3]
GREF

[2]
Playful Dragon

[2][3]
RoyalAPT

[3]
NICKEL

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]
.002 Account Discovery: Domain Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[2][4]
.004 Application Layer Protocol: DNS

Ke3chang malware RoyalDNS has used DNS for C2.[2]
Enterprise T1560 Archive Collected Data

The Ke3chang group has been known to compress data before exfiltration.[1]
.001 Archive via Utility

Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.[1][4]
Enterprise T1119 Automated Collection

Ke3chang has performed frequent and scheduled data collection from victim networks.[4]
Enterprise T1020 Automated Exfiltration

Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Several Ke3chang backdoors achieved persistence by adding a Run key.[2]
Enterprise T1059 Command and Scripting Interpreter

Malware used by Ke3chang can run commands on the command-line interface.[1][2]
.003 Windows Command Shell

Ke3chang has used batch scripts in its malware to install persistence mechanisms.[2]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.[2]
Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2]
Enterprise T1005 Data from Local System

Ke3chang gathered information and files from local directories for exfiltration.[1][4]
Enterprise T1140 Deobfuscate/Decode Files or Information

Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.[4]
Enterprise T1587 .001 Develop Capabilities: Malware

Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.[4]
Enterprise T1114 .002 Email Collection: Remote Email Collection

Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.[2][4]
Enterprise T1041 Exfiltration Over C2 Channel

Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1]
Enterprise T1190 Exploit Public-Facing Application

Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.[4]
Enterprise T1133 External Remote Services

Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.[2][4]
Enterprise T1083 File and Directory Discovery

Ke3chang uses command-line interaction to search files and directories.[1][4]
Enterprise T1105 Ingress Tool Transfer

Ke3chang has used tools to download files to compromised machines.[4]
Enterprise T1056 .001 Input Capture: Keylogging

Ke3chang has used keyloggers.[2][4]
Enterprise T1036 .002 Masquerading: Right-to-Left Override

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1]
.005 Masquerading: Match Legitimate Name or Location

Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe, C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe, C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe, and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe.[4]
Enterprise T1027 Obfuscated Files or Information

Ke3chang has used Base64-encoded shellcode strings.[4]
Enterprise T1588 .002 Obtain Capabilities: Tool

Ke3chang has obtained and used tools such as Mimikatz.[2]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Ke3chang has dumped credentials, including by using Mimikatz.[1][2][4]
.002 OS Credential Dumping: Security Account Manager

Ke3chang has dumped credentials, including by using gsecdump.[1][2]
.003 OS Credential Dumping: NTDS

Ke3chang has used NTDSDump and other password dumping tools to gather credentials.[4]
.004 OS Credential Dumping: LSA Secrets

Ke3chang has dumped credentials, including by using gsecdump.[1][2]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Ke3chang performs discovery of permission groups net group /domain.[1]
Enterprise T1057 Process Discovery

Ke3chang performs process discovery using tasklist commands.[1][2]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2]
Enterprise T1018 Remote System Discovery

Ke3chang has used network scanning and enumeration tools, including Ping.[2]
Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Ke3chang has used Mimikatz to generate Kerberos golden tickets.[2]
Enterprise T1082 System Information Discovery

Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.[1][2][4]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

Ke3chang has used implants to collect the system language ID of a compromised machine.[4]
Enterprise T1016 System Network Configuration Discovery

Ke3chang has performed local network configuration discovery using ipconfig.[1][2][4]
Enterprise T1049 System Network Connections Discovery

Ke3chang performs local network connection discovery using netstat.[1][2]
Enterprise T1033 System Owner/User Discovery

Ke3chang has used implants capable of collecting the signed-in username.[4]
Enterprise T1007 System Service Discovery

Ke3chang performs service discovery using net start commands.[1]
Enterprise T1569 .002 System Services: Service Execution

Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2]
Enterprise T1078 Valid Accounts

Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.[4]
.004 Cloud Accounts

Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.[4]

Software

ID Name References Techniques
S0100 ipconfig [1][2] System Network Configuration Discovery
S0002 Mimikatz [2][4] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0280 MirageFox [3] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Search Order Hijacking, System Information Discovery, System Owner/User Discovery
S0691 Neoichor [4] Application Layer Protocol: Web Protocols, Data from Local System, Indicator Removal on Host, Ingress Tool Transfer, Inter-Process Communication: Component Object Model, Modify Registry, System Information Discovery, System Location Discovery: System Language Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [1][2] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [1][2] System Network Connections Discovery
S0439 Okrum [5] Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Archive Collected Data: Archive via Custom Method, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Obfuscation: Protocol Impersonation, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Obfuscated Files or Information: Steganography, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, Proxy: External Proxy, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, System Time Discovery, Virtualization/Sandbox Evasion: User Activity Based Checks, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: Time Based Evasion
S0097 Ping [2] Remote System Discovery
S0227 spwebmember [2] Data from Information Repositories: Sharepoint
S0096 Systeminfo [1][2] System Information Discovery
S0057 Tasklist [2] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References

  1. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  2. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  3. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  1. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  2. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.