China-Linked Ke3chang Resurfaces, Now Targeting Indian Embassies

Rafia Shaikh
Posted May 24, 2016
12Shares
Share Tweet Submit

A threat group which first came to the front two years ago, has resurfaced. Dubbed as Operation Ke3chang, the campaign was aimed at attacking foreign affairs ministries in Europe. According to latest findings, the China-linked group continued to improve its malware arsenal and is now targeting Indian embassies worldwide.

Operation Ke3chang is back, now targeting Indian embassies

First discovered in 2013 by FireEye, the research firm had linked the attackers to China and had claimed that the group was active since 2010. In the first analysis, 3 pieces of malware were discovered by researchers: BS2005, BMW and MyWeb. The new report by Palo Alto Networks suggests that the group has remained active in the previous years and they have also made improvements to their malware capabilities. The hackers behind Operation Ke3change are now targeting Indian embassies using a new piece of malware.

We’ve discovered a new malware family we’ve named TidePool. It has strong behavioral ties to Ke3chang and is being used in an ongoing attack campaign against Indian embassy personnel worldwide. This targeting is also consistent with previous attacker TTPs; Ke3chang historically targeted the Ministry of Affairs, and also conducted several prior campaigns against India.

The new tool, dubbed TidePool, can be used to read, write and remove files from the target systems. In the latest campaign, hackers sent phishing emails to more than 30 Indian embassies using an annual report. The emails were spoofed to look like they came from real people with ties to Indian embassies. Exploiting a Microsoft Office vulnerability (CVE-2015-2545), the TidePool malware was dropped onto the victim’s system.

[…] the spear phishing emails we found targeted several Indian embassies in different countries. One decoy references an annual report filed by over 30 Indian embassies across the globe. The sender addresses of the phishing emails spoof real people with ties to Indian embassies, adding legitimacy to the emails to prompt the recipients to open the attached file.

Similar to BS2005, the new threat behaves like a remote access trojan (RAT), which can execute commands on the infected systems. Researchers have also discovered that while both the threats share code, including for command and control (C&C) obfuscation and use of library functions, TidePool appears to be an evolution of the previous malware.

Researchers have reported that the latest findings indicate Indian embassies are “likely a high priority target as it has continued over multiple years.”

Share Tweet Submit