BfV warns of cyber attacks by Ke3chang

In its latest issue of Cyber-Brief, the Federal Office for the Protection of the Constitution warns of cyber attacks by the cyber espionage group Ke3chang. Recent evidence suggests that the group is increasingly targeting business and government entities. Read here how Ke3chang works and learn how to protect your company.


Who is behind Ke3chang?

The Ke3chang group probably first became active in 2010 and has been attacking political and economic targets alike ever since. The Federal Office for the Protection of the Constitution suspects a long-term and wide-ranging cyber espionage campaign in Europe to be behind the attacks. The group is currently using malware called Ketrican to infiltrate IT infrastructures.

How does Ke3chang do it?

Over time, various bodies and security providers have analyzed Ke3chang’s approach. Here you will find an overview of the most important key data:

Use of the HTTP protocol for communication
Uniform patterns in the communication intervals (fixed time intervals between beaconing)
Weakening of the Internet Explorers by adapting registry entries
Intensive use of cmd.exe to execute commands
Small number of infected machines
Use of standard or open source tools such as e.g. B. RAR data compression or Mimikatz

How does Ketrican malware work?

Commands are delivered to the compromised client between keywords in accessed web pages: goodbad, whitepurple, or nicesay. There is currently no clear system for these keywords. The commands are encrypted (AES128 or XOR).
Technical analysis of Ketrican samples revealed that the malware itself does not establish persistence in the system. It is therefore more likely that another mechanism (e.g. a dropper) establishes persistence of the Ketrican backdoor.

 Ke3chang Attack Vector

The figure shows a typical Ketrican attack flow. Further information is available in BfV Cyber-Brief 01/20.

How do I know if my systems are affected?

Businesses, organizations, and government agencies are well advised to check their network hosts. The cyber defense of the Federal Office for the Protection of the Constitution provides corresponding detection rules: BfV cyber letter 01/20.

For those who want to be on the safe side, we offer infraforce penetration tests together with our partner for cybersecurity. We examine your IT infrastructure from the perspective of a hacker and thus close potential weak points: Improve your IT Security with penetration tests.