Category: Malware
Type: Backdoor
Platforms: Microsoft Windows
Damage potential: Data exfiltration, targeted attacks on government entities, remote command execution, deployment of additional malware, system compromise, and disruption of operations.
Overview
Okrum is backdoor malware created by the hacker group Ke3chang, known for targeting European diplomatic and government entities. First detected in 2016, the malware infiltrates systems through spear phishing attacks and malicious email attachments. As soon as Okrum enters a system, it enables remote access for attackers to execute arbitrary commands, download additional payloads, and exfiltrate sensitive information.
The Okrum malware is engineered to stay hidden using advanced techniques, allowing attackers to snoop on their target without being noticed for a long time. It also uses tools that mimic legitimate system processes, making it difficult for users to notice and enabling attackers to collect valuable information silently.
Possible symptoms
Okrum is a stealthy malware, so it may be hard to detect. However, the following signs may indicate a system infection.
- Unusual outbound network traffic to suspicious domains or IP addresses
- Unfamiliar DDL files in system directories
- System slowdowns and abnormal behavior due to malicious processes using system resources
- Disabled security programs or changed system configurations
- Unexpected changes to registry entries
Sources of the infection
Okrum typically sneaks into devices through malicious attachments or infected URLs in phishing emails. When users click these links or download the attachments, the malware installs itself on their computers. Another common source of infection is drive-by downloads from compromised websites, which exploit unpatched browser vulnerabilities. Additionally, users may unknowingly download Okrum with pirated software.
Protection
The primary protection method against Okrum is implementing advanced endpoint protection and response (EDR) and combining it with patch management. EDR tools detect Okrum’s activity within the system, while patch management addresses vulnerabilities that Okrum exploits to get into computer systems. Other ways to protect your computer against Okrum and similar threats include:
- Keep your software up to date. Update your software and apps regularly to patch your network against known vulnerabilities that hackers can use as access points to deploy Okrum.
- Use security tools. Invest in reputable antivirus software, firewalls, and intrusion detection systems (IDS). Combining these tools might help you identify, block, and eliminate cyber threats before they cause damage.
- Limit user privileges. Only give people who really need access to different parts of your network. Such network segmentation will minimize the chances of unauthorized access.
- Strengthen email security. Set up email filtering that detects and blocks phishing, spam, and malicious attachments.
- Set up two-factor authentication (2FA). Enable 2FA on all your accounts to make it hard for hackers to gain access even if they manage to steal your password.
Removal
If you suspect that your system has been infected by Okrum, unplug your device from the internet immediately to prevent the malware from spreading. Next, terminate any processes linked to Okrum and delete any unauthorized services, scheduled tasks, or shortcut files created by the malware. Follow this by running a full antivirus scan and removing any leftover components of Okrum.
As soon as Okrum is gone from your system for good, update the passwords for your email and financial accounts.
If you’re uncertain about your technical skills to get rid of this malware, talk to a cybersecurity professional. They will investigate the case and should be able to restore your system with minimal damage.
