Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted several industries, including oil, government, military, and more.[1][2][3]

ID: G0004
Associated Groups: APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT
Version: 1.4
Created: 31 May 2017
Last Modified: 01 November 2021

Associated Group Descriptions

Name Description
APT15

[2]

Mirage

[2]

Vixen Panda

[2] [3]

GREF

[2]

Playful Dragon

[2] [3]

RoyalAPT

[3]

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]

.002 Account Discovery: Domain Account

Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Ke3chang malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[2]

.004 Application Layer Protocol: DNS

Ke3chang malware RoyalDNS has used DNS for C2.[2]

Enterprise T1560 Archive Collected Data

The Ke3chang group has been known to compress data before exfiltration.[1]

.001 Archive via Utility

Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Several Ke3chang backdoors achieved persistence by adding a Run key.[2]

Enterprise T1059 Command and Scripting Interpreter

Malware used by Ke3chang can run commands on the command-line interface.[1][2]

.003 Windows Command Shell

Ke3chang has used batch scripts in its malware to install persistence mechanisms.[2]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.[2]

Enterprise T1213 .002 Data from Information Repositories: Sharepoint

Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2]

Enterprise T1005 Data from Local System

Ke3chang gathered information and files from local directories for exfiltration.[1]

Enterprise T1114 .002 Email Collection: Remote Email Collection

Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[2]

Enterprise T1041 Exfiltration Over C2 Channel

Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1]

Enterprise T1133 External Remote Services

Ke3chang regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.[2]

Enterprise T1083 File and Directory Discovery

Ke3chang uses command-line interaction to search files and directories.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Ke3chang has used keyloggers.[2]

Enterprise T1036 .002 Masquerading: Right-to-Left Override

Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Ke3chang has obtained and used tools such as Mimikatz.[2]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Ke3chang has dumped credentials, including by using Mimikatz.[1][2]

.002 OS Credential Dumping: Security Account Manager

Ke3chang has dumped credentials, including by using gsecdump.[1][2]

.004 OS Credential Dumping: LSA Secrets

Ke3chang has dumped credentials, including by using gsecdump.[1][2]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Ke3chang performs discovery of permission groups net group /domain.[1]

Enterprise T1057 Process Discovery

Ke3chang performs process discovery using tasklist commands.[1][2]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2]

Enterprise T1018 Remote System Discovery

Ke3chang has used network scanning and enumeration tools, including Ping.[2]

Enterprise T1558 .001 Steal or Forge Kerberos Tickets: Golden Ticket

Ke3chang has used Mimikatz to generate Kerberos golden tickets.[2]

Enterprise T1082 System Information Discovery

Ke3chang performs operating system information discovery using systeminfo.[1][2]

Enterprise T1016 System Network Configuration Discovery

Ke3chang performs local network configuration discovery using ipconfig.[1][2]

Enterprise T1049 System Network Connections Discovery

Ke3chang performs local network connection discovery using netstat.[1][2]

Enterprise T1007 System Service Discovery

Ke3chang performs service discovery using net start commands.[1]

Enterprise T1569 .002 System Services: Service Execution

Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2]

Software

ID Name References Techniques
S0100 ipconfig [1][2] System Network Configuration Discovery
S0002 Mimikatz [2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0280 MirageFox [3] Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Search Order Hijacking, System Information Discovery, System Owner/User Discovery
S0039 Net [1][2] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [1][2] System Network Connections Discovery
S0439 Okrum [4] Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data Obfuscation: Protocol Impersonation, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Obfuscated Files or Information: Steganography, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: LSASS Memory, Proxy: External Proxy, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, System Time Discovery, Virtualization/Sandbox Evasion: Time Based Evasion, Virtualization/Sandbox Evasion: System Checks, Virtualization/Sandbox Evasion: User Activity Based Checks
S0097 Ping [2] Remote System Discovery
S0227 spwebmember [2] Data from Information Repositories: Sharepoint
S0096 Systeminfo [1][2] System Information Discovery
S0057 Tasklist [2] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References