The Chinese state-sponsored hacking group tracked as APT15 has been observed using a novel backdoor named ‘Graphican’ in a new campaign between late 2022 and early 2023.
APT15, also known as Nickel, Flea, Ke3Chang, and Vixen Panda, are Chinese state hackers targeting important public and private organizations worldwide since at least 2004.
The group has used various malware implants and custom backdoors throughout the years, including RoyalCLI and RoyalDNS, Okrum, Ketrum, and Android spyware named SilkBean and Moonshine.
Today, the Threat Hunter Team at Symantec, part of Broadcom, reports that APT15’s latest campaign targets foreign affairs ministries in Central and South American countries.
New Graphican backdoor
The researchers report that the new Graphican backdoor is an evolution of an older malware used by the hackers rather than a tool created from scratch.
It is notable for using Microsoft Graph API and OneDrive to stealthily obtain its command and control (C2) infrastructure addresses in encrypted form, giving it versatility and resistance against take-downs.
The operation of Graphican on the infected device includes the following:
- Disables Internet Explorer 10’s first-run wizard and welcome page using registry keys.
- Verifies if the ‘iexplore.exe’ process is active.
- Constructs a global IWebBrowser2 COM object for internet access.
- Authenticates with Microsoft Graph API for a valid access token and refresh_token.
- Enumerates child files and folders in the “Person” OneDrive folder using the Graph API.
- Decrypts the first folder’s name for use as a C&C server.
- Generates a unique Bot ID using the hostname, local IP, Windows version, default language identifier, and process bitness (32/64-bit).
- Registers the bot with the C&C server using a specific format string filled with the collected victim’s computer data.
- Regularly checks the C&C server for new commands to execute.
When connecting to the command and control server, the threat actors can send down various commands to execute on infected devices, including launching programs and downloading new files.
The complete list of commands that the C2 can send for execution by Graphican are:
- ‘C’ — Create an interactive command line that is controlled from the C&C server
- ‘U’ — Create a file on the remote computer
- ‘D’ — Download a file from the remote computer to the C&C server
- ‘N’ — Create a new process with a hidden window
- ‘P’ — Create a new PowerShell process with a hidden window and saves the results in a temporary file in the TEMP folder, and sends the results to the C&C server
Other tools Symantec’s researchers observed in APT15’s latest campaign are:
- EWSTEW – Custom APT15 backdoor extracting emails from infected Microsoft Exchange servers.
- Mimikatz, Pypykatz, Safetykatz – Publicly available credential-dumping tools that exploit Windows single sign-on to extract secrets from memory.
- Lazagne – An open-source tool able to retrieve passwords from multiple applications.
- Quarks PwDump – Dumps different types of Windows credentials. Documented since 2013.
- SharpSecDump – A .Net port of Impacket’s secretsdump.py, used for dumping remote SAM and LSA secrets.
- K8Tools – A toolset featuring privilege escalation, password cracking, scanning, vulnerability utilization, and various system exploits.
- EHole – Vulnerable systems identification.
- Web shells – AntSword, Behinder, China Chopper, Godzilla, giving the hackers backdoor access to the breached systems.
- CVE-2020-1472 exploit – Elevation of privilege vulnerability affecting the Netlogon Remote Protocol.
In conclusion, the recent activity of APT15 and the refresh of its custom backdoor shows that the Chinese hacking group remains a menace to organizations worldwide, improving its tools and working on making its operations stealthier.
The particular threat group uses phishing emails as an initial infection vector; however, they are also known for exploiting vulnerable internet-exposed endpoints and using VPNs as an initial access vector.