Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

China-Linked Attackers Target Indian Embassies Worldwide

A threat group first analyzed more than two years ago has continued to improve its malware arsenal and was recently observed targeting personnel at Indian embassies worldwide.

A threat group first analyzed more than two years ago has continued to improve its malware arsenal and was recently observed targeting personnel at Indian embassies worldwide.

The actor’s activities were brought to light in late 2013 by FireEye. The security firm had analyzed a campaign aimed at foreign affairs ministries in Europe, which it dubbed “Operation Ke3chang.”

FireEye linked the attackers to China and determined that they had been active since at least 2010. At the time of the initial analysis, the group had been using three pieces of malware named by researchers BS2005, BMW, and MyWeb.

While no other reports have been published since 2013, the hackers behind Operation Ke3chang are still active and they’ve made some improvements to their tools.

Researchers at Palo Alto Networks recently came across a piece of malware that appears to have been used by the group in an ongoing attack aimed at Indian embassies.

The malware, dubbed “TidePool” by Palo Alto Networks, can be used to read, write and remove files from the infected system, and to execute commands. The threat, which behaves like a remote access Trojan (RAT), is similar to the BS2005 samples analyzed in 2013.

While there are many similarities between the two pieces of malware, TidePool appears to be an evolution of BS2005. According to researchers, both threats make unique registry changes, and they share code, including for command and control (C&C) obfuscation and use of library functions.

The threat actor has sent out spear phishing emails using an annual report filed by more than 30 Indian embassies as a decoy. In order to increase their chances of success, the addresses used to send the emails have been spoofed to look like the messages come from real people with ties to Indian embassies.

Advertisement. Scroll to continue reading.

The spear phishing emails observed by the security firm include an MHTML document set up to exploit a Microsoft Office vulnerability (CVE-2015-2545) that was patched in September 2015. If the flaw is exploited successfully, the TidePool malware is dropped onto the targeted user’s system.

Since FireEye’s 2013 report also mentioned that the hackers behind Operation Ke3chang targeted Indian entities, researchers believe the country could represent a high priority target for the group.

As for attribution, Palo Alto Networks reported finding evidence that the malware developer’s system was likely running an OS and software with Chinese set as the default language. It’s worth noting that Chinese officials denied hacking European foreign ministries when FireEye published the first report on Operation Ke3chang.

“Despite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its malware,” Palo Alto Networks said in a blog post. “Unit 42 was able to track the evolution of Operation Ke3chang’s tools by observing unique behavioral quirks common throughout the malware’s lineage. By pivoting on these behaviors in AutoFocus, we were able to assess a relationship between these families dating back to at least 2012 and the creation of TidePool, a new malware family continuing in Ke3chang’s custom malware footsteps.”

Related: Attackers Target Indian Military in Data-Theft Campaign

Related: Suckfly Hackers Target Organizations in India

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.