A cyber-espionage group tied to China and called Ke3chang has resurfaced with new attacks and utilizing new malware in its operations, called TidePool.
The activities of the Ke3chang group came to light in December 2013, when FireEye researchers discovered the organization targeting fivejust before the G20 Summit that took place in September, in Russia, that year.
FireEye reported that the group used spear-phishing campaigns related to the Syrian conflict to distribute the BS2005 RAT (Remote Access Trojan). After that, the group’s activity shut down.
APT returns with new but old malware
Now, two and a half years after the group was first seen, security researchers from Palo Alto arehaving seen new spear-phishing attacks that distribute another RAT, closely resembling BS2005.
Palo Alto says that much of TidePool’s code has been reused from BS2005. TidePool allows Ke3chang to read and write files on infected targets, run commands locally, and encode data in base64 and exfiltrate it to a C&C server via HTTP.
In other words, TidePool is your typical RAT used in cyber-espionage campaigns.
Palo Alto reports seeing eleven different TidePool variations, targeting over 30 Indian embassies around the globe.
Distribution occurs via spear-phishing emails, crafted to spoof other Indian embassy employees.
Another RAT employing the newly discovered CVE-2015-2545 vulnerability
A detail that stood out to the security researchers who analyzed the malware was the usage of a new Microsoft Office exploit, CVE-2015-2545, also employed by a recent version of the Poison Ivy RAT against, this past April.
Ke3chang uses CVE-2015-2545 inside MHTML files sent as attachments to the spear-phishing emails. On standard Windows machines, the MHTML files are set to open by default in Microsoft Word.
These files contain a malicious EPS file embedded in their content, which, in turn, triggers the CVE-2015-2545 vulnerability that allows the attackers to execute code on the underlying computer. This allows them to install the TidePool RAT.
“Despite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its malware,” Palo Alto’s Unit42 reported today. “While we can’t know all of the groups’ attacks using TidePool or older malware, we have uncovered its use against Indian Embassies, which was also documented in the 2013 report, indicating this is likely a high priority target as it has continued over multiple years.”