Group description: Ke3chang

attack.mitre.org · MITRE ATT&CK · 20 hours ago · news
quality 2/10 · low quality
0 net
Tags
mitre attack
Entities
CVE-2022-27518
Ke3chang, APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, Nylon Typhoon, Group G0004 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Ke3chang Ke3chang Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010. [1] [2] [3] [4] ID: G0004 ⓘ Associated Groups : APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, Nylon Typhoon Contributors : Pooja Natarajan, NEC Corporation India; Manikantan Srinivasan, NEC Corporation India; Hiroki Nagahama, NEC Corporation Version : 3.1 Created: 31 May 2017 Last Modified: 04 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description APT15 [2] Mirage [2] Vixen Panda [2] [3] GREF [2] Playful Dragon [2] [3] RoyalAPT [3] NICKEL [4] Nylon Typhoon [5] Campaigns ID Name First Seen Last Seen References Techniques C0052 SPACEHOP Activity January 2019 [6] May 2024 [6] [6] Acquire Infrastructure : Virtual Private Server , Exploit Public-Facing Application , Obtain Capabilities : Tool , Proxy : Multi-hop Proxy ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1087 .001 Account Discovery : Local Account Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups. [1] .002 Account Discovery : Domain Account Ke3chang performs account discovery using commands such as net localgroup administrators and net group "REDACTED" /domain on specific permissions groups. [1] Enterprise T1583 .003 Acquire Infrastructure : Virtual Private Server SPACEHOP Activity has used acquired Virtual Private Servers as control systems for devices within the ORB network. [6] .005 Acquire Infrastructure : Botnet Ke3chang has utilized an ORB (operational relay box) network for reconnaissance and vulnerability exploitation. [6] Enterprise T1071 .001 Application Layer Protocol : Web Protocols Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. [2] [4] .004 Application Layer Protocol : DNS Ke3chang malware RoyalDNS has used DNS for C2. [2] Enterprise T1560 Archive Collected Data The Ke3chang group has been known to compress data before exfiltration. [1] .001 Archive via Utility Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration. [1] [4] Enterprise T1119 Automated Collection Ke3chang has performed frequent and scheduled data collection from victim networks. [4] Enterprise T1020 Automated Exfiltration Ke3chang has performed frequent and scheduled data exfiltration from compromised networks. [4] Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder Several Ke3chang backdoors achieved persistence by adding a Run key. [2] Enterprise T1059 Command and Scripting Interpreter Malware used by Ke3chang can run commands on the command-line interface. [1] [2] .003 Windows Command Shell Ke3chang has used batch scripts in its malware to install persistence mechanisms. [2] Enterprise T1543 .003 Create or Modify System Process : Windows Service Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent . [2] Enterprise T1213 .002 Data from Information Repositories : Sharepoint Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember. [2] Enterprise T1005 Data from Local System Ke3chang gathered information and files from local directories for exfiltration. [1] [4] Enterprise T1140 Deobfuscate/Decode Files or Information Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them. [4] Enterprise T1587 .001 Develop Capabilities : Malware Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks. [4] Enterprise T1114 .002 Email Collection : Remote Email Collection Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes. [2] [4] Enterprise T1041 Exfiltration Over C2 Channel Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations. [1] Enterprise T1190 Exploit Public-Facing Application Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers. [4] SPACEHOP Activity has enabled the exploitation of CVE-2022-27518 and CVE-2022-27518 for illegitimate access. [7] [6] Enterprise T1133 External Remote Services Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates. [2] [4] Enterprise T1083 File and Directory Discovery Ke3chang uses command-line interaction to search files and directories. [1] [4] Enterprise T1105 Ingress Tool Transfer Ke3chang has used tools to download files to compromised machines. [4] Enterprise T1056 .001 Input Capture : Keylogging Ke3chang has used keyloggers. [2] [4] Enterprise T1036 .002 Masquerading : Right-to-Left Override Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files. [1] .005 Masquerading : Match Legitimate Resource Name or Location Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe , C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe , C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe , and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe . [4] Enterprise T1027 Obfuscated Files or Information Ke3chang has used Base64-encoded shellcode strings. [4] Enterprise T1588 .002 Obtain Capabilities : Tool Ke3chang has obtained and used tools such as Mimikatz . [2] SPACEHOP Activity leverages a C2 framework sourced from a publicly-available Github repository for administration of relay nodes. [6] Enterprise T1003 .001 OS Credential Dumping : LSASS Memory Ke3chang has dumped credentials, including by using Mimikatz . [1] [2] [4] .002 OS Credential Dumping : Security Account Manager Ke3chang has dumped credentials, including by using gsecdump. [1] [2] .003 OS Credential Dumping : NTDS Ke3chang has used NTDSDump and other password dumping tools to gather credentials. [4] .004 OS Credential Dumping : LSA Secrets Ke3chang has dumped credentials, including by using gsecdump. [1] [2] Enterprise T1069 .002 Permission Groups Discovery : Domain Groups Ke3chang performs discovery of permission groups net group /domain . [1] Enterprise T1057 Process Discovery Ke3chang performs process discovery using tasklist commands. [1] [2] Enterprise T1090 .003 Proxy : Multi-hop Proxy SPACEHOP Activity has routed traffic through chains of compromised network devices to proxy C2 communications. [6] Enterprise T1021 .002 Remote Services : SMB/Windows Admin Shares Ke3chang actors have been known to copy files to the network shares of other computers to move laterally. [1] [2] Enterprise T1018 Remote System Discovery Ke3chang has used network scanning and enumeration tools, including Ping . [2] Enterprise T1558 .001 Steal or Forge Kerberos Tickets : Golden Ticket Ke3chang has used Mimikatz to generate Kerberos golden tickets. [2] Enterprise T1082 System Information Discovery Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name. [1] [2] [4] Enterprise T1614 .001 System Location Discovery : System Language Discovery Ke3chang has used implants to collect the system language ID of a compromised machine. [4] Enterprise T1016 System Network Configuration Discovery Ke3chang has performed local network configuration discovery using ipconfig . [1] [2] [4] Enterprise T1049 System Network Connections Discovery Ke3chang performs local network connection discovery using netstat . [1] [2] Enterprise T1033 System Owner/User Discovery Ke3chang has used implants capable of collecting the signed-in username. [4] Enterprise T1007 System Service Discovery Ke3chang performs service discovery using net start commands. [1] Enterprise T1569 .002 System Services : Service Execution Ke3chang has used a tool known as RemoteExec (similar to PsExec ) to remotely execute batch scripts and binaries. [2] Enterprise T1078 Valid Accounts Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. [4] .004 Cloud Accounts Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts. [4] Software ID Name References Techniques S0100 ipconfig [1] [2] System Network Configuration Discovery S0002 Mimikatz [2] [4] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0280 MirageFox [3] Command and Scripting Interpreter : Windows Command Shell , Deobfuscate/Decode Files or Information , Hijack Execution Flow : DLL , System Information Discovery , System Owner/User Discovery S0691 Neoichor [4] Application Layer Protocol : Web Protocols , Data from Local System , Indicator Removal , Ingress Tool Transfer , Inter-Process Communication : Component Object Model , Modify Registry , System Information Discovery , System Location Discovery : System Language Discovery , System Network Configuration Discovery : Internet Connection Discovery , System Network Configuration Discovery , System Owner/User Discovery S0039 Net [1] [2] Account Discovery : Domain Account , Account Discovery : Local Account , Account Manipulation : Additional Local or Domain Groups , Create Account : Local Account , Create Account : Domain Account , Indicator Removal : Network Share Connection Removal , Network Share Discovery , Password Policy Discovery , Permission Groups Discovery : Domain Groups , Permission Groups Discovery : Local Groups , Remote Services : SMB/Windows Admin Shares , Remote System Discovery , System Network Connections Discovery , System Service Discovery , System Services : Service Execution , System Time Discovery S0104 netstat [1] [2] System Network Connections Discovery S0439 Okrum [8] Access Token Manipulation : Token Impersonation/Theft , Application Layer Protocol : Web Protocols , Archive Collected Data : Archive via Utility , Archive Collected Data : Archive via Custom Method , Boot or Logon Autostart Execution : Shortcut Modification , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Data Obfuscation , Data Obfuscation : Protocol or Service Impersonation , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Exfiltration Over C2 Channel , File and Directory Discovery , Hide Artifacts : Hidden Files and Directories , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Masquerading : Masquerade Task or Service , Obfuscated Files or Information : Steganography , OS Credential Dumping : Cached Domain Credentials , OS Credential Dumping : LSASS Memory , Proxy : External Proxy , Scheduled Task/Job : Scheduled Task , System Information Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , System Services : Service Execution , System Time Discovery , Virtualization/Sandbox Evasion : System Checks , Virtualization/Sandbox Evasion : User Activity Based Checks , Virtualization/Sandbox Evasion : Time Based Checks S0097 Ping [2] Remote System Discovery S0227 spwebmember [2] Data from Information Repositories : Sharepoint S0096 Systeminfo [1] [2] System Information Discovery S0057 Tasklist [2] Process Discovery , Software Discovery : Security Software Discovery , System Service Discovery References Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024. National Security Agency. (2022, December). APT5: Citrix ADC Threat Hunting Guidance. Retrieved February 5, 2024. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. × load more results
← Back to stories