In a recent study, Symantec documented the activities of APT15 (aka BackdoorDiplomacy and Vixen Panda), a Chinese state-sponsored threat group that has developed a fresh backdoor known as Graphican. The campaign spanned from 2022 to 2023 and primarily focused on foreign affairs ministries in the Americas.
Campaign insights
While the primary target of the group was foreign ministries in the Americas, it did target a government finance department, a company that sells products in Central and South America, and a European entity.
Apart from Graphican, APT15 used various other tools, including EWSTEW, Mimikatz, web shells, SharpSecDump, and Lazagne, among others.
It has, furthermore, exploited CVE-2020-1472 - a privilege escalation bug affecting the Netlogon Remote Protocol. Successful exploitation of the flaw could enable the attacker to run a specially crafted application on a device in the network.
Let’s know Graphican better
Graphican backdoor is an evolved version of a previous malware, named Ketrican, which utilizes the Microsoft Graph API and OneDrive for its C2 infrastructure. This allows the malware to obtain encrypted addresses, making it resilient against takedowns.
The operation of Graphican involves disabling Internet Explorer's first-run wizard, authenticating with Microsoft Graph API, decrypting folder names for use as C2 servers, generating unique Bot IDs, and executing commands received from the control server.
The bottom line
APT15 continues to develop new tools, as demonstrated by the use of Graphican. The group has a history of creating custom tools, and the similarities between Graphican and the Ketrican backdoor suggest a lack of concern for attribution. Flea's targets, foreign ministries, align with its previous activities, indicating consistent interests alongside evolving techniques. Symantec has published the IOCs for a better understanding of the threat to protect against it.