Skip to main content

Hacking group builds new malware using patchwork of old code

(Image credit: Shutterstock / NicoElNino)

A well-known hacking group, previously linked to the Chinese government, has developed new malware by merging features and source code from older projects.

These are the findings of an investigation conducted by cybersecurity researchers at Intezer, who dubbed the new malware Ketrum because it is a patchwork of code from older Ketrican and Okrum backdoors.

Ke3chang is allegedly the group behind the malware, known for its attacks on western governments, as well as and the military and oil industries.

Intezer claims the new malware is consistent with the group's Tactics, Techniques, and Procedures (TTPs), as a “basic backdoor” that allows remote access to a target device via a remote server.

The remote server, allegedly located in China, stopped working in mid-May after malware samples were identified.

"Both Ketrum samples resemble a similar layout to previous Ke3chang tools, apart from low-level implementation and use of system APIs," said Intezer. "Even in the two Ketrum samples, there are differences between the low-level APIs used to achieve the same functionality."

The newer Ketrum 2 variant allows its operator to download, upload, and execute files/shell commands, as well as configure sleep time for compromised devices.

"The group continues to morph its code and switch basic functionalities in their various backdoors. This strategy has been working for the group for years and there is no indication yet that it will deviate from this modus operandi," the security firm added.