NewsSecurity News

Okrum Backdoor Malware

Duncan 2331 Views 0 Comments 1 min read

Okrum is a backdoor created by the Ke3chang (also known as APT15) advanced persistent threat. The backdoor was first detected in December 2016 and has targeted diplomatic missions in Slovakia, Belgium, Chile, Guatemala, and Brazil throughout 2017.

Okrum is delivered as an encrypted Dynamic-link Library file embedded within a PNG image file, with Ke3chang making extensive use of steganographic techniques to avoid detection. This file is decrypted and executed by an unnamed preliminary installer, likely a variant of the MirageFox remote access trojan.

Once installed, Okrum escalates its privileges by calling the ImpersonateLoggedOnUser API before collecting user, system, and network information and sending it to a command and control server over HTTP. As stated previously, Okrum is not technically complex and can only execute shell commands by default. However, Ke3chang are able to leverage this capability to install their own tools including the Ketrican, RoyalCLI, and RoyalDNS, as well as to execute third-party applications present on the affected system.

Indicators of Compromise

URLs

  • finance.globaleducat[.]com
  • support.slovakmaps[.]com
  • misiones.soportesisco[.]com
  • forcan.hausblow[.]com
  • login.allionhealth[.]com
  • buy.babytoy-online[.]com
  • newflow.babytoy-online[.]com
  • press.premlist[.]com
  • items.babytoy-online[.]com

SHA1 File Hashes

  • 1CDC632E0A26F39E527ACF7B1CDECD829A6A2B3D
  • 1D271F22798313650C91C6FC34551CC8492A2019
  • 371B14F8BFD9B5DB098139E7FE2EBD4381CB259C
  • 38299BCF0BA25E331939683597F161A3D7121A26
  • 48F8BAFB334C6980FB578C09D7297A4B7F5E09E2
  • 5FBAFB71CFDF0C93E19882630D05F37C1F756CBF
  • 8D7E503D972C03C0F87F2D6F6EF65F1381D21BC6
  • A426BCC6317F0D49F0F0B68091E8161C512E22C3
  • AD740FD11688B2B39072C7024679CC22878E2619
  • F0E2C3AF0297C80C0A14E95E151FC7DC319ACFC3
  • F42A9D85ABE04E721461FE2B52DDC9E0EA411D9E
  • 58DEA3A56DE1D95353230BE9BBBA582599AFE624
  • FE2BF0A613482A40CCF84157361054EE77C07960
  • D3BFB10DB08C6828C3001C1F825ED6A6BF6F6E01
  • 2C8B145EF5AC177C99DFCB8C0221E30B3A363A96
  • D8AA9E4918E464D00BA95A3E28B8707A148EC4D7
  • 9D41B44AF5BAAF581C0D9D7BEF466213BD8BE01A
  • F2BFDA51BDA3EE57878475817AF6E5F24FFBBB28

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.