Skip to content

G0004 Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.4321

Item Value
ID G0004
Associated Names APT15, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL
Version 2.0
Created 31 May 2017
Last Modified 22 July 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
APT15 3
Mirage 3
Vixen Panda 32
GREF 3
Playful Dragon 32
RoyalAPT 2
NICKEL 1

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Ke3chang performs account discovery using commands such as net localgroup administrators and net group “REDACTED” /domain on specific permissions groups.4
enterprise T1087.002 Domain Account Ke3chang performs account discovery using commands such as net localgroup administrators and net group “REDACTED” /domain on specific permissions groups.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.31
enterprise T1071.004 DNS Ke3chang malware RoyalDNS has used DNS for C2.3
enterprise T1560 Archive Collected Data The Ke3chang group has been known to compress data before exfiltration.4
enterprise T1560.001 Archive via Utility Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.41
enterprise T1119 Automated Collection Ke3chang has performed frequent and scheduled data collection from victim networks.1
enterprise T1020 Automated Exfiltration Ke3chang has performed frequent and scheduled data exfiltration from compromised networks.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Several Ke3chang backdoors achieved persistence by adding a Run key.3
enterprise T1059 Command and Scripting Interpreter Malware used by Ke3chang can run commands on the command-line interface.43
enterprise T1059.003 Windows Command Shell Ke3chang has used batch scripts in its malware to install persistence mechanisms.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.3
enterprise T1213 Data from Information Repositories -
enterprise T1213.002 Sharepoint Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.3
enterprise T1005 Data from Local System Ke3chang gathered information and files from local directories for exfiltration.41
enterprise T1140 Deobfuscate/Decode Files or Information Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.1
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.31
enterprise T1041 Exfiltration Over C2 Channel Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.4
enterprise T1190 Exploit Public-Facing Application Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.1
enterprise T1133 External Remote Services Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.31
enterprise T1083 File and Directory Discovery Ke3chang uses command-line interaction to search files and directories.41
enterprise T1105 Ingress Tool Transfer Ke3chang has used tools to download files to compromised machines.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Ke3chang has used keyloggers.31
enterprise T1036 Masquerading -
enterprise T1036.002 Right-to-Left Override Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.4
enterprise T1036.005 Match Legitimate Name or Location Ke3chang has dropped their malware into legitimate installed software paths including: C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe, C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe, C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe, and C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe.1
enterprise T1027 Obfuscated Files or Information Ke3chang has used Base64-encoded shellcode strings.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Ke3chang has obtained and used tools such as Mimikatz.3
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Ke3chang has dumped credentials, including by using Mimikatz.431
enterprise T1003.002 Security Account Manager Ke3chang has dumped credentials, including by using gsecdump.43
enterprise T1003.003 NTDS Ke3chang has used NTDSDump and other password dumping tools to gather credentials.1
enterprise T1003.004 LSA Secrets Ke3chang has dumped credentials, including by using gsecdump.43
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Ke3chang performs discovery of permission groups net group /domain.4
enterprise T1057 Process Discovery Ke3chang performs process discovery using tasklist commands.43
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.43
enterprise T1018 Remote System Discovery Ke3chang has used network scanning and enumeration tools, including Ping.3
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.001 Golden Ticket Ke3chang has used Mimikatz to generate Kerberos golden tickets.3
enterprise T1082 System Information Discovery Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.431
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Ke3chang has used implants to collect the system language ID of a compromised machine.1
enterprise T1016 System Network Configuration Discovery Ke3chang has performed local network configuration discovery using ipconfig.431
enterprise T1049 System Network Connections Discovery Ke3chang performs local network connection discovery using netstat.43
enterprise T1033 System Owner/User Discovery Ke3chang has used implants capable of collecting the signed-in username.1
enterprise T1007 System Service Discovery Ke3chang performs service discovery using net start commands.4
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.3
enterprise T1078 Valid Accounts Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.1
enterprise T1078.004 Cloud Accounts Ke3chang has used compromised credentials to sign into victims’ Microsoft 365 accounts.1

Software

ID Name References Techniques
S0100 ipconfig 43 System Network Configuration Discovery
S0002 Mimikatz 31 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0280 MirageFox 2 Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information DLL Search Order Hijacking:Hijack Execution Flow System Information Discovery System Owner/User Discovery
S0691 Neoichor 1 Web Protocols:Application Layer Protocol Data from Local System Indicator Removal Ingress Tool Transfer Component Object Model:Inter-Process Communication Modify Registry System Information Discovery System Language Discovery:System Location Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Configuration Discovery System Owner/User Discovery
S0039 Net 43 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 43 System Network Connections Discovery
S0439 Okrum 6 Token Impersonation/Theft:Access Token Manipulation Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Archive via Custom Method:Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Protocol Impersonation:Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Steganography:Obfuscated Files or Information Cached Domain Credentials:OS Credential Dumping LSASS Memory:OS Credential Dumping External Proxy:Proxy Scheduled Task:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services System Time Discovery System Checks:Virtualization/Sandbox Evasion Time Based Evasion:Virtualization/Sandbox Evasion User Activity Based Checks:Virtualization/Sandbox Evasion
S0097 Ping 3 Remote System Discovery
S0227 spwebmember 3 Sharepoint:Data from Information Repositories
S0096 Systeminfo 43 System Information Discovery
S0057 Tasklist 3 Process Discovery Security Software Discovery:Software Discovery System Service Discovery

References

  1. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. 

  2. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. 

  3. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. 

  4. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  5. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. 

  6. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.