China-Linked APT15 Targets Agencies With Graphican Malware

According to a Symantec Threat Hunter Team report, a highly sophisticated hacking group known as APT 15 (or Flea) has been engaged in a series of targeted attacks against foreign affairs ministries across North and South America. Their weapon of choice is a newly discovered backdoor named Graphican.

The campaign, which took place between late 2022 and early 2023, extended its reach beyond government entities. The hackers also set their sights on a government finance department in an undisclosed country and a corporation that operates in Central and South America. Additionally, the report mentions a single victim located in a European country, suggesting that Flea's activities reach other continents too.

Symantec said in the report that “Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican’s use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.” However, Graphican distinguishes itself by utilizing the Microsoft Graph API to establish connections with OneDrive, enabling the retrieval of C&C information.

As reported by SecurityWeek, Graphican can generate an interactive command line, create and download files, and initiate hidden window processes. Throughout the campaign, Symantec observed APT15 employing different versions of Ketrican, each featuring a hardcoded C&C server and only implementing a subset of the commands mentioned above.

In addition to Graphican and Ketrican, APT15 employed various other tools during these attacks. They include the Ewstew backdoor, web shells, as well as publicly available tools like Mimikatz, Pypykatz, Safetykatz, Lazagne, Quarks PwDump, SharpSecDump, K8Tools, and EHole.

Symantec has stated that the primary objective of the APT15 group appears to be establishing long-term access to the networks of their targeted victims to gather intelligence. The focus of their attacks in this particular campaign, foreign affairs ministries, strongly indicates a probable geopolitical motive behind their actions.