Ke3chang Malware Targeting Indian Embassies Officials Again
A group of cyber-espionage handshake with China as well as it is called as Ke3chang that has resurfaced with latest hacks using new kind of malware in its operations that are known as TidePool.
Why TidePool Malware Is Dangerous:
- TidePool contains many capabilities common to most RATs.
- It allows the attacker to read, write and delete files and folders, and run commands over named pipes.
- TidePool gathers information about the victim’s computer, base64 encodes the data, and sends it to the Command and Control (C2) server via HTTP.
- Which matches capabilities of the BS2005 malware family used by the Ke3chang actor.
Due to the activities of the Ke3chang group came into the light in December 2013, when the researchers of FireEye found the organization which focusing on five European ministries of foreign affairs just before the G20 Summit which took place in September, in Russia, that year.
Even the FireEye informed that the group used the campaigns of spear-phishing that related to the Syrian clash to allocate the BS2005 RAT (Remote Access Trojan). After that, the activity of group was shut down.
Once again APT returns back with new but old malware.
Now after the two and a half years of the group was first seen. The security researchers from Palo Alto are informing that having seen the new spear-phishing attacks which allocate another RAT that is closely similar to BS2005.
Palo Alto says that most of the code of TidePool have been reclaims from BS2005. And TidePool permits Ke3chang to read as well as write the files on affected goals that run commands locally as well as instructs the data in base64 as well as exfiltrate it to a C&C server through HTTP.
In other words, TidePool is advanced RAT which is used in the campaigns of cyber-espionage. Palo Alto reports that considering different eleven TidePool dissimilarity and it focusing up to the 30 Indian embassies around the globe.
Here are distribution arises through the emails of spear-phishing which skilled to spoof another employee of the Indian embassy.
Whereas another RAT employing the newly revealed the vulnerability of CVE-2015-2545.
According to detail that stood out to the security researchers who investigated the malware that was the tradition of a new Microsoft Office exploit, CVE-2015-2545, that also engaged by a current version of the Poison Ivy RAT beside the anti-Chinese protesters in Hong Kong in this last April.
Even Ke3chang uses the CVE-2015-2545 inside the files of MHTML that was sent as connections to the emails of spear-phishing. On standard machines of Windows, the files of MHTML are set to unlock by default in Microsoft Word.
These files consist a malicious EPS file surrounded by their content in which turn to the activate the CVE-2015-2545 vulnerability which permits the attackers to implement the code on the fundamental computer. This permits them to install the TidePool RAT.
Palo Alto's Unit42 reported that "Despite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its malware. While we can’t know all of the groups’ attacks using TidePool or older malware, we have uncovered its use against Indian Embassies, which was also documented in the 2013 report, indicating this is likely a high priority target as it has continued over multiple years."