The advanced persistent threat (APT) named Operation Ke3chang was first noticed in 2013. At that time, it was targeting Europe-based Ministries of Foreign Affairs, however, now it appears that the threat is still active.
Apart from the above-mentioned, Operation Ke3chang seems to be leveraging a new family of malware called TidePool.
Yesterday, Palo Alto Networks reported that experts within its Unit 42 research team recently uncovered a malware-based cyberespionage campaign launched against Indian embassies, worldwide.
The victims of the threat are infected via spoofed phishing emails containing attachments of TidePool, a malicious program featuring a code base and certain behaviors which largely overlap with Ke3chang’s previous malware of choice – the BS2005 program.
The researchers of Unit 42 said that TidePool is a remote access trojan (RAT) which lets hackers read, write and delete files, as well as silently run commands.
The malware opens by default in Microsoft Word and exploits a Microsoft Office vulnerability which lets remote cyber criminals execute code via crafted EPS (Encapsulated PostScript) images.
The malware turns out to be Chinese in origin, just like BS2005.