A threat group first analyzed more than two years ago has continued to improve its malware arsenal and was recently observed targeting personnel at Indian embassies worldwide.
The actor’s activities were brought to light in late 2013 by FireEye. The security firm had analyzed a campaign aimed at foreign affairs ministries in Europe, which it dubbed “Operation Ke3chang.”
FireEye linked the attackers to China and determined that they had been active since at least 2010. At the time of the initial analysis, the group had been using three pieces of malware named by researchers BS2005, BMW, and MyWeb.
While no other reports have been published since 2013, the hackers behind Operation Ke3chang are still active and they’ve made some improvements to their tools.
Researchers at Palo Alto Networks recently came across a piece of malware that appears to have been used by the group in an ongoing attack aimed at Indian embassies.
The malware, dubbed “TidePool” by Palo Alto Networks, can be used to read, write and remove files from the infected system, and to execute commands. The threat, which behaves like a remote access Trojan (RAT), is similar to the BS2005 samples analyzed in 2013.
While there are many similarities between the two pieces of malware, TidePool appears to be an evolution of BS2005. According to researchers, both threats make unique registry changes, and they share code, including for command and control (C&C) obfuscation and use of library functions.
The threat actor has sent out spear phishing emails using an annual report filed by more than 30 Indian embassies as a decoy. In order to increase their chances of success, the addresses used to send the emails have been spoofed to look like the messages come from real people with ties to Indian embassies.
The spear phishing emails observed by the security firm include an MHTML document set up to exploit a Microsoft Office vulnerability (CVE-2015-2545) that was patched in September 2015. If the flaw is exploited successfully, the TidePool malware is dropped onto the targeted user’s system.
Since FireEye’s 2013 report also mentioned that the hackers behind Operation Ke3chang targeted Indian entities, researchers believe the country could represent a high priority target for the group.
As for attribution, Palo Alto Networks reported finding evidence that the malware developer’s system was likely running an OS and software with Chinese set as the default language. It’s worth noting that Chinese officials denied hacking European foreign ministries when FireEye published the first report on Operation Ke3chang.
“Despite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its malware,” Palo Alto Networks said in a blog post. “Unit 42 was able to track the evolution of Operation Ke3chang’s tools by observing unique behavioral quirks common throughout the malware’s lineage. By pivoting on these behaviors in AutoFocus, we were able to assess a relationship between these families dating back to at least 2012 and the creation of TidePool, a new malware family continuing in Ke3chang’s custom malware footsteps.”