The Chinese state-sponsored hacking group tracked as APT15 was observed using a new backdoor codenamed “Graphican” in a new campaign between late 2022 and early 2023.

APT15, also known as Nickel, Flea, Ke3Chang and Vixen Panda, are Chinese hackers targeting important public and private organizations around the world since at least 2004.

The group has used various malware implants and custom backdoors over the years, including RoyalCLI and RoyalDNS, Okrum, Ketrumand Android spyware named SilkBean And Bootleg alcohol.

Today, Symantec’s Threat Hunter team, part of Broadcom, reports that APT15’s latest campaign targets the foreign ministries of Central and South American countries.

New Graphican backdoor

Researchers report that the new Graphican backdoor is an evolution of older malware used by hackers rather than a tool created from scratch.

It stands out for using the Microsoft Graph API and OneDrive to stealthily obtain its command and control (C2) infrastructure addresses in encrypted form, giving it versatility and resistance against takedowns.

How Graphican works on the infected device includes the following:

• Disables the Internet Explorer 10 First Run Wizard and Welcome Page using registry keys.
• Checks if the ‘iexplore.exe’ process is active.
• Constructs an IWebBrowser2 global COM object for Internet access.
• Authenticates with the Microsoft Graph API for a valid access token and refresh_token.
• Enumerates child files and folders in the “Person” OneDrive folder using the Graph API.
• Decrypts the name of the first folder to use as a C&C server.
• Generates a unique Bot ID using hostname, local IP address, Windows version, default language ID and process bitness (32/64 bit).
• Registers the bot with the C&C server using a specific format string filled with the collected victim computer data.
• Periodically checks the C&C server for new commands to run.

Upon connecting to the command and control server, threat actors can send various commands to be executed on infected devices, including launching programs and downloading new files.

The complete list of commands that the C2 can send for execution by Graphican are:

• ‘VS’ — Create an interactive command line controlled from the C&C server
• ‘U’ — Create a file on the remote computer
• ‘D’ — Upload a file from the remote computer to the C&C server
• ‘NOT’ — Create a new process with a hidden window
• ‘P’ — Create a new PowerShell process with a hidden window and save the results to a temporary file in the TEMP folder, then send the results to the C&C server

Other tools that Symantec researchers observed in the latest APT15 campaign are:

• EW STEW – Custom APT15 backdoor extracting emails from infected Microsoft Exchange servers.
• Mimikatz, Pypykatz, Safetykatz – Publicly available credential flushing tools that leverage Windows single sign-on to extract secrets from memory.
• lazagne – An open-source tool capable of recovering the passwords of several applications.
• PwDump Quarks – Empties different types of Windows credentials. Documented since 2013.
• SharpSecDump – A .Net port of secretsdump.py from Impacket, used to dump remote SAM and LSA secrets.
• K8Tools – A set of tools including privilege escalation, password cracking, scanning, exploiting vulnerabilities and various system exploits.
• EThole – Identification of vulnerable systems.
• Web shells – AntSword, Behinder, China Chopper, Godzillagiving hackers backdoor access to hacked systems.
• Exploit CVE-2020-1472 – Elevation of privilege vulnerability affecting Netlogon remote protocol.

In conclusion, the recent activity of APT15 and the updating of its custom backdoor show that the Chinese hacking group remains a threat to organizations around the world, improving its tools and working to make its operations more stealthy.

The particular threat group uses phishing emails as the initial infection vector; however, they are also known to exploit vulnerable endpoints exposed to the Internet and use VPNs as an initial access vector.