Go to listing page

Chinese APT15 Re-emerges with New Graphican Malware

Chinese APT15 Re-emerges with New Graphican Malware
In a recent study, Symantec documented the activities of APT15 (aka BackdoorDiplomacy and Vixen Panda), a Chinese state-sponsored threat group that has developed a fresh backdoor known as Graphican. The campaign spanned from 2022 to 2023 and primarily focused on foreign affairs ministries in the Americas.

Campaign insights

  • While the primary target of the group was foreign ministries in the Americas, it did target a government finance department, a company that sells products in Central and South America, and a European entity. 
  • Apart from Graphican, APT15 used various other tools, including EWSTEW, Mimikatz, web shells, SharpSecDump, and Lazagne, among others. 
  • It has, furthermore, exploited CVE-2020-1472 - a privilege escalation bug affecting the Netlogon Remote Protocol. Successful exploitation of the flaw could enable the attacker to run a specially crafted application on a device in the network. 

Let’s know Graphican better

  • Graphican backdoor is an evolved version of a previous malware, named Ketrican, which utilizes the Microsoft Graph API and OneDrive for its C2 infrastructure. This allows the malware to obtain encrypted addresses, making it resilient against takedowns. 
  • The operation of Graphican involves disabling Internet Explorer's first-run wizard, authenticating with Microsoft Graph API, decrypting folder names for use as C2 servers, generating unique Bot IDs, and executing commands received from the control server.

The bottom line

APT15 continues to develop new tools, as demonstrated by the use of Graphican. The group has a history of creating custom tools, and the similarities between Graphican and the Ketrican backdoor suggest a lack of concern for attribution. Flea's targets, foreign ministries, align with its previous activities, indicating consistent interests alongside evolving techniques. Symantec has published the IOCs for a better understanding of the threat to protect against it.
Cyware Publisher

Publisher

Cyware

Previous

​​High-Profile Spear-Phishing Attack Against Ukrainian ...

Breaches and Incidents

Next

APT37 Found Using FadeStealer to Eavesdrop on Victims

Malware and Vulnerabilities

RESOURCES
Cyber Fusion Center Guide
EVENTS
News and Updates, Hacker News

Get in touch with us now!

1-855-692-9927

Download Cyware Social App

Terms of Use Privacy Policy © 2023