Ke3chang
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Playful Dragon | (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018) |
| APT15 | (Citation: NCC Group APT15 Alive and Strong) |
| NICKEL | (Citation: Microsoft NICKEL December 2021) |
| RoyalAPT | (Citation: APT15 Intezer June 2018) |
| Mirage | (Citation: NCC Group APT15 Alive and Strong) |
| GREF | (Citation: NCC Group APT15 Alive and Strong) |
| Vixen Panda | (Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018) |
| Nylon Typhoon | (Citation: Microsoft Threat Actor Naming July 2023) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Ke3chang performs account discovery using commands such as |
| .002 | Account Discovery: Domain Account |
Ke3chang performs account discovery using commands such as |
||
| Enterprise | T1583 | .005 | Acquire Infrastructure: Botnet |
Ke3chang has utilized an ORB (operational relay box) network for reconnaissance and vulnerability exploitation.(Citation: ORB Mandiant) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021) |
| .004 | Application Layer Protocol: DNS |
Ke3chang malware RoyalDNS has used DNS for C2.(Citation: NCC Group APT15 Alive and Strong) |
||
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Several Ke3chang backdoors achieved persistence by adding a Run key.(Citation: NCC Group APT15 Alive and Strong) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Ke3chang has used batch scripts in its malware to install persistence mechanisms.(Citation: NCC Group APT15 Alive and Strong) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Ke3chang backdoor RoyalDNS established persistence through adding a service called |
| Enterprise | T1213 | .002 | Data from Information Repositories: Sharepoint |
Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.(Citation: NCC Group APT15 Alive and Strong) |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.(Citation: Microsoft NICKEL December 2021) |
| Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Ke3chang has used keyloggers.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021) |
| Enterprise | T1036 | .002 | Masquerading: Right-to-Left Override |
Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.(Citation: Mandiant Operation Ke3chang November 2014) |
| .005 | Masquerading: Match Legitimate Resource Name or Location |
Ke3chang has dropped their malware into legitimate installed software paths including: `C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe`, `C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe`, `C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe`, and `C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe`.(Citation: Microsoft NICKEL December 2021) |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Ke3chang has dumped credentials, including by using Mimikatz.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021) |
| .002 | OS Credential Dumping: Security Account Manager |
Ke3chang has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong) |
||
| .003 | OS Credential Dumping: NTDS |
Ke3chang has used NTDSDump and other password dumping tools to gather credentials.(Citation: Microsoft NICKEL December 2021) |
||
| .004 | OS Credential Dumping: LSA Secrets |
Ke3chang has dumped credentials, including by using gsecdump.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong) |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Ke3chang has obtained and used tools such as Mimikatz.(Citation: NCC Group APT15 Alive and Strong) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
Ke3chang performs discovery of permission groups |
| Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong) |
| Enterprise | T1558 | .001 | Steal or Forge Kerberos Tickets: Golden Ticket |
Ke3chang has used Mimikatz to generate Kerberos golden tickets.(Citation: NCC Group APT15 Alive and Strong) |
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
Ke3chang has used implants to collect the system language ID of a compromised machine.(Citation: Microsoft NICKEL December 2021) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.(Citation: NCC Group APT15 Alive and Strong) |
| Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.(Citation: Microsoft NICKEL December 2021) |
References
- Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.