In a new campaign that ran from the end of 2022 to the beginning of 2023, the Chinese state-sponsored hacking group known as APT15 was observed using a novel backdoor that was dubbed “Graphican.”
Since at least 2004, Chinese state hackers known as APT15, also referred to as Nickel, Flea, Ke3Chang, and Vixen Panda, have targeted significant public and private organizations worldwide.
Over the course of its history, the group has made use of a variety of custom backdoors and malware implants, such as RoyalCLI and RoyalDNS, Okrum, Ketrum, and Android spyware known as SilkBean and Moonshine.
The Threat Hunter Team at Symantec, which is part of Broadcom, reported today that the most recent campaign launched by APT15 targets ministries of foreign affairs in countries in Central and South America.
Backdoor for New Graphican
The new Graphican backdoor, according to the researchers, is not a brand-new tool but rather an evolution of an earlier piece of malware that the hackers use.
It is notable for secretly obtaining its encrypted command and control (C2) infrastructure addresses using Microsoft Graph API and OneDrive, giving it versatility and resistance to takedowns.
On the infected device, Graphican performs the following operations:
- Disables Internet Explorer 10’s first-run wizard and welcome page using registry keys.
- Verifies if the ‘iexplore.exe’ process is active.
- Constructs a global IWebBrowser2 COM object for internet access.
- Authenticates with Microsoft Graph API for a valid access token and refresh_token.
- Enumerates child files and folders in the “Person” OneDrive folder using the Graph API.
- Decrypts the first folder’s name for use as a C&C server.
- Generates a unique Bot ID using the hostname, local IP, Windows version, default language identifier, and process bitness (32/64-bit).
- Registers the bot with the C&C server using a specific format string filled with the collected victim’s computer data.
- Regularly checks the C&C server for new commands to execute.
Threat actors can send a variety of commands to infected devices when they connect to the command and control server, such as starting programs and downloading new files.
The following is a comprehensive list of the commands that the C2 can send to Graphican for execution:
- ‘C’ — Create an interactive command line that is controlled from the C&C server
- ‘U’ — Create a file on the remote computer
- ‘D’ — Download a file from the remote computer to the C&C server
- ‘N’ — Create a new process with a hidden window
- ‘P’ — Create a new PowerShell process with a hidden window and saves the results in a temporary file in the TEMP folder, and sends the results to the C&C server
Symantec’s researchers discovered the following additional tools in the most recent APT15 campaign:
- EWSTEW – Custom APT15 backdoor extracting emails from infected Microsoft Exchange servers.
- Mimikatz, Pypykatz, Safetykatz – Publicly available credential-dumping tools that exploit Windows single sign-on to extract secrets from memory.
- Lazagne – An open-source tool able to retrieve passwords from multiple applications.
- Quarks PwDump – Dumps different types of Windows credentials. Documented since 2013.
- SharpSecDump – A .Net port of Impacket’s secretsdump.py, used for dumping remote SAM and LSA secrets.
- K8Tools – A toolset featuring privilege escalation, password cracking, scanning, vulnerability utilization, and various system exploits.
- EHole – Vulnerable systems identification.
- Web shells – AntSword, Behinder, China Chopper, Godzilla, giving the hackers backdoor access to the breached systems.
- CVE-2020-1472 exploit – Elevation of privilege vulnerability affecting the Netlogon Remote Protocol.
In conclusion, the recent activities of APT15 and its updated custom backdoor demonstrate that the Chinese hacking group continues to pose a threat to businesses all over the world, is working to improve its tools, and is working to conceal its operations.
Phishing emails are a method by which this particular threat group spreads infection at first; However, they are also known for using VPNs as an initial access vector and exploiting vulnerable internet-exposed endpoints.
