Operation Ke3chang Malware Evolves

The advanced persistent threat (APT) named Operation Ke3chang was first noticed in 2013. At that time, it was targeting Europe-based Ministries of Foreign Affairs, however, now it appears that the threat is still active.

Apart from the above-mentioned, Operation Ke3chang seems to be leveraging a new family of malware called TidePool.

Yesterday, Palo Alto Networks reported that experts within its Unit 42 research team recently uncovered a malware-based cyberespionage campaign launched against Indian embassies, worldwide.

The victims of the threat are infected via spoofed phishing emails containing attachments of TidePool, a malicious program featuring a code base and certain behaviors which largely overlap with Ke3chang’s previous malware of choice – the BS2005 program.

The researchers of Unit 42 said that TidePool is a remote access trojan (RAT) which lets hackers read, write and delete files, as well as silently run commands.

The malware opens by default in Microsoft Word and exploits a Microsoft Office vulnerability which lets remote cyber criminals execute code via crafted EPS (Encapsulated PostScript) images.

The malware turns out to be Chinese in origin, just like BS2005.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.