The notorious Chinese state-sponsored hacking group known as APT15, also referred to as Nickel, Flea, Ke3Chang, and Vixen Panda, has recently been observed employing a newly developed backdoor named 'Graphican' in a campaign spanning from late 2022 to early 2023. APT15 has been active since at least 2004, targeting both public and private organizations worldwide.
According to the Threat Hunter Team at Symantec, a division of Broadcom, APT15's latest campaign focuses on foreign affairs ministries in Central and South American countries. The Graphican backdoor is not an entirely new tool but an evolution of previous malware used by the group. Notably, Graphican utilizes Microsoft Graph API and OneDrive to clandestinely obtain encrypted addresses for its command and control (C2) infrastructure, providing versatility and resistance against takedowns.
The operation of the Graphican backdoor involves several key steps. It disables the first-run wizard and welcome page of Internet Explorer 10 through registry modifications and verifies the active 'iexplore.exe' process. It establishes internet access through a global IWebBrowser2 COM object and authenticates with Microsoft Graph API to acquire a valid access token and refresh_token. Graphican then enumerates child files and folders in the "Person" folder of OneDrive, decrypting the first folder's name for use as the C&C server. Additionally, it generates a unique Bot ID based on various system parameters and registers the bot with the C&C server. The backdoor periodically checks the C&C server for new commands, allowing threat actors to execute various actions on compromised devices, such as launching programs and downloading files.
Symantec's researchers have also identified other tools used by APT15 in their latest campaign. These include EWSTEW, a custom backdoor targeting Microsoft Exchange servers to extract emails; publicly available credential-dumping tools like Mimikatz, Pypykatz, Safetykatz, Lazagne, Quarks PwDump, and SharpSecDump; K8Tools, a comprehensive toolset for privilege escalation, password cracking, scanning, vulnerability exploitation, and system exploits; EHole for vulnerable system identification; and several web shells such as AntSword, Behinder, China Chopper, and Godzilla, providing the attackers with backdoor access to compromised systems. Furthermore, APT15 has been observed exploiting the Netlogon Remote Protocol vulnerability (CVE-2020-1472) for elevation of privilege. According to Jess Parnell, VP of Security Operations, Centripetal:
“One reason APT groups like Vixen Panda may choose to stick with their existing tools is to maintain their operational infrastructure and avoid detection. By reusing familiar tools, they can leverage their knowledge of vulnerabilities and weaknesses, allowing them to conduct attacks more efficiently. Additionally, creating new tools from scratch entails significant time and effort, as they need to be tested, refined, and integrated into existing attack frameworks. By building upon established tools, APT groups can focus on evolving their techniques and evading detection.
Organizations must adopt a multi-layered approach to defend themselves against backdoors like Graphican. Keeping software and systems up to date with the latest security patches is essential. Many backdoors exploit known vulnerabilities, and by promptly applying patches, organizations can significantly reduce their attack surface. To truly stay ahead of advanced threats like Graphican, investing in intelligence-powered cybersecurity solutions are crucial. By leveraging augmented intelligence, enterprises can analyze vast amounts of data, identify patterns, and detect anomalous activities that may indicate the presence of sophisticated threats. By continuously learning from new attack techniques, intelligence-powered cybersecurity systems can provide real-time threat intelligence, enabling organizations to proactively defend against emerging threats.”
These recent activities by APT15, along with the development of the Graphican backdoor, underscore the persistent threat posed by this Chinese hacking group. Their continuous improvements in tools and tactics, combined with their preference for phishing emails and exploitation of vulnerable endpoints, highlight the ongoing challenges faced by organizations worldwide in defending against APT15's stealthy operations.