Operation Ke3chang Resurfaces, Targeting Indian Embassies

A threat group which first came to the front 2 years agone, has resurfaced. Dubbed as Functioning Ke3chang, the campaign was aimed at attacking strange diplomacy ministries in Europe. According to latest findings, the Cathay-linked group continued to improve its malware arsenal and is now targeting Indian embassies worldwide.

Performance Ke3chang is back, at present targeting Indian embassies

Get-go discovered in 2022 by FireEye, the research business firm had linked the attackers to China and had claimed that the group was active since 2022. In the outset analysis, three pieces of malware were discovered by researchers: BS2005, BMW and MyWeb. The new report past Palo Alto Networks suggests that the group has remained active in the previous years and they have too made improvements to their malware capabilities. The hackers behind Operation Ke3change are at present targeting Indian embassies using a new piece of malware.

We've discovered a new malware family unit we've named TidePool. It has strong behavioral ties to Ke3chang and is being used in an ongoing attack campaign against Indian diplomatic mission personnel worldwide. This targeting is also consistent with previous attacker TTPs; Ke3chang historically targeted the Ministry of Diplomacy, and also conducted several prior campaigns against India.

The new tool, dubbed TidePool, tin be used to read, write and remove files from the target systems. In the latest campaign, hackers sent phishing emails to more than 30 Indian embassies using an annual report. The emails were spoofed to look like they came from real people with ties to Indian embassies. Exploiting a Microsoft Function vulnerability (CVE-2015-2545), the TidePool malware was dropped onto the victim'due south system.

[...] the spear phishing emails we establish targeted several Indian embassies in different countries. One decoy references an almanac written report filed past over xxx Indian embassies across the world. The sender addresses of the phishing emails spoof real people with ties to Indian embassies, adding legitimacy to the emails to prompt the recipients to open up the fastened file.

Similar to BS2005, the new threat behaves like a remote access trojan (RAT), which tin can execute commands on the infected systems. Researchers have also discovered that while both the threats share lawmaking, including for command and control (C&C) obfuscation and use of library functions, TidePool appears to be an evolution of the previous malware.

Researchers have reported that the latest findings indicate Indian embassies are "likely a high priority target as it has continued over multiple years."