Chinese state-sponsored hacking group APT15, also known as Nickel, Flea, Ke3Chang, and Vixen Panda, has been identified in a new cyber campaign conducted between late 2022 and early 2023. Symantec’s Threat Hunter Team reports that the group, active since at least 2004, targeted foreign affairs ministries in Central and South American countries in its latest operation. A notable aspect of this campaign is the use of a novel backdoor named ‘Graphican,’ which leverages the Microsoft Graph API and OneDrive for stealthy command and control (C2) infrastructure communication.
Graphican demonstrates versatility and resistance against takedowns by encrypting its C2 addresses. The threat actors behind APT15 utilize various tools in their operations, including email-extracting backdoors, credential-dumping tools, password retrieval tools, and exploits targeting vulnerabilities like CVE-2020-1472. The Graphican backdoor, employed by APT15 in its recent campaign, showcases the group’s evolution in creating advanced and stealthy malware. The backdoor uses Microsoft Graph API and OneDrive for communication with its C2 infrastructure, enhancing its adaptability and resilience. APT15’s tactics involve disabling Internet Explorer features, authenticating with the Microsoft Graph API, and generating unique Bot IDs based on victim computer data. The C2 server can issue commands to infected devices, ranging from creating interactive command lines to downloading files and launching new processes.
The campaign also revealed other tools employed by APT15, including backdoors extracting emails from Microsoft Exchange servers, credential-dumping tools, and various system exploits. The recent activities of APT15 and the introduction of the Graphican backdoor underscore the group’s ongoing threat to organizations worldwide. By constantly refining its tools and adopting stealthier techniques, APT15 remains a formidable menace. The group employs phishing emails as an initial infection vector, but it is also known for exploiting vulnerable internet-exposed endpoints and utilizing VPNs for initial access. Organizations must remain vigilant against evolving cyber threats posed by sophisticated state-sponsored actors like APT15.
Reference:
