VXer group ramps up malware to attack Indian embassies

"Operation Ke3chang" updates 'Tidepool' malware to target MS Word mess

Attackers have revamped their malware to better target embassy staff, says a Palo Alto Networks security team.

The "Operation Ke3chang" campaign is slinging the TidePool malware which it has quietly upgraded over recent years.

Researchers Micah Yates, Mike Scott, Brandon Levene, Jen Miller-Osborn and Tom Keigher say the group slipped under analysts' radars since 2013 and took the opportunity to hit Indian embassies around the world.

"Despite going unreported on since 2013, Operation Ke3chang has not ceased operations and in fact continued developing its malware," the so-called Unit 42 team says.

"[TidePool] has strong behavioural ties to Ke3chang and is being used in an ongoing attack campaign against Indian embassy personnel worldwide ... we have uncovered its use against Indian Embassies … indicating this is likely a high priority target as it has continued over multiple years."

The researchers say TidePool contains common remote access trojan capabilities for remote compromise, allowing for read, write and deletion of files and folders.

TidePool exploits a Microsoft Word vulnerability (CVE-2015-2545) revealed by FireEye in November 2015.

The flaw centres on the processing of .eps files allowing attackers to execute arbitrary code. ®

Biting the hand that feeds IT © 1998–2019