Ke3chang
Associated Group Descriptions
| Name | Description |
|---|---|
| APT15 | |
| Mirage | |
| Vixen Panda | |
| GREF | |
| Playful Dragon | |
| RoyalAPT |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Ke3chang performs account discovery using commands such as |
| .002 | Account Discovery: Domain Account |
Ke3chang performs account discovery using commands such as |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Ke3chang malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.[2] |
| .004 | Application Layer Protocol: DNS | |||
| Enterprise | T1560 | Archive Collected Data |
The Ke3chang group has been known to compress data before exfiltration.[1] |
|
| .001 | Archive via Utility |
Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.[1] |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Several Ke3chang backdoors achieved persistence by adding a Run key.[2] |
| Enterprise | T1059 | Command and Scripting Interpreter |
Malware used by Ke3chang can run commands on the command-line interface.[1][2] |
|
| .003 | Windows Command Shell |
Ke3chang has used batch scripts in its malware to install persistence mechanisms.[2] |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Ke3chang backdoor RoyalDNS established persistence through adding a service called |
| Enterprise | T1213 | .002 | Data from Information Repositories: Sharepoint |
Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.[2] |
| Enterprise | T1005 | Data from Local System |
Ke3chang gathered information and files from local directories for exfiltration.[1] |
|
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.[2] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[1] |
|
| Enterprise | T1133 | External Remote Services |
Ke3chang regained access after eviction via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host.[2] |
|
| Enterprise | T1083 | File and Directory Discovery |
Ke3chang uses command-line interaction to search files and directories.[1] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1036 | .002 | Masquerading: Right-to-Left Override |
Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.[1] |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool | |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Ke3chang has dumped credentials, including by using Mimikatz.[1][2] |
| .002 | OS Credential Dumping: Security Account Manager |
Ke3chang has dumped credentials, including by using gsecdump.[1][2] |
||
| .004 | OS Credential Dumping: LSA Secrets |
Ke3chang has dumped credentials, including by using gsecdump.[1][2] |
||
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Ke3chang performs discovery of permission groups |
| Enterprise | T1057 | Process Discovery |
Ke3chang performs process discovery using |
|
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.[1][2] |
| Enterprise | T1018 | Remote System Discovery |
Ke3chang has used network scanning and enumeration tools, including Ping.[2] |
|
| Enterprise | T1558 | .001 | Steal or Forge Kerberos Tickets: Golden Ticket |
Ke3chang has used Mimikatz to generate Kerberos golden tickets.[2] |
| Enterprise | T1082 | System Information Discovery |
Ke3chang performs operating system information discovery using |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Ke3chang performs local network configuration discovery using |
|
| Enterprise | T1049 | System Network Connections Discovery |
Ke3chang performs local network connection discovery using |
|
| Enterprise | T1007 | System Service Discovery |
Ke3chang performs service discovery using |
|
| Enterprise | T1569 | .002 | System Services: Service Execution |
Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.[2] |
Software
References
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.