APT15 has been targeting ministries of foreign affairs in the Americas in an intelligence gathering campaign that has leveraged a new backdoor variant, as well as publicly available tools and malware previously linked to the group.
The campaign, which ran from late 2022 into early 2023, used a backdoor called Graphican, which is an evolved version of the known APT15 malware Ketrican. According to researchers, the malware was deployed against three foreign affairs ministries in the Americas, a government finance department in a country in the Americas and a corporation that sells products in Central and South America.
“The goal of the group does seem to be to gain persistent access to the networks of victims of interest for the purposes of intelligence gathering,” said researchers with the Symantec Threat Hunter Team, part of Broadcom, in a Wednesday analysis. “Its targets in this campaign, of ministries of foreign affairs, also point to a likely geo-political motive behind the campaign.”
Updated Graphican Malware Capabilities
Graphican has the same basic functionality as its predecessor and has a number of capabilities, including collecting the infected machine's hostname, local IP, Windows version and system default language identifier, and polling the command-and-control (C2) for commands to execute. The similarities to Ketrican are not surprising, because while APT15 has evolved its codebase over the years it is known for reusing code and features in its newer tools.
One main difference, however, is that the malware abuses Microsoft’s Graph API developer platform and OneDrive features to obtain its C2 infrastructure, rather than relying on a hardcoded C2 server. In the observed samples, the malware connected to OneDrive via the Microsoft Graph API in order to get the encrypted C2 server address from a child folder inside the “Person” folder, said researchers. This folder name was then decrypted and used as a C2 server.
“Communicating in this way can potentially allow the malware to go unnoticed on a victim’s network as it is only connecting to legitimate Microsoft domains and so there won’t be any suspicious network traffic,” said Brigid O Gorman, senior intelligence analyst at Symantec Threat Hunter Team, part of Broadcom. “It’s likely we could see this technique being adopted more widely by more APT actors.”
Graphican's C2 server commands include the ability to download files, create new processes and start a new PowerShell process with a hidden window.
Publicly Available Tools
The group was also observed leveraging a number of other tools in its campaign, including a new variant of a known backdoor, EWSTEW, that has been linked to APT15, and that extracts sent and received emails on compromised Microsoft Exchange servers.
The group relied on several publicly available tools for siphoning credentials, like the Mimikatz credential dumping tool, the open-source Lazagne tool used to retrieve passwords and the Quarks PwDump open-source tool for dumping Windows credentials. Other publicly available tools used by the group, such as the China Chopper and Behinder webshells, have previously been associated with Chinese threat actors.
Researchers said that the group also targeted a known Microsoft elevation-of-privilege flaw, for which a patch has been available since 2021. The flaw (CVE-2020-1472) exists when attackers establish vulnerable Netlogon secure channel connections to a domain controller via the Netlogon Remote Protocol, and allows attackers to run specially crafted applications on a device on the network.
APT15 Continues to Resurface
The Chinese government-backed group of teams under the APT15 umbrella (also known as Nickel and Flea) have launched intel-gathering attacks for more than a decade. This most recent campaign fits in with APT15's playbook, as the group has previously targeted diplomatic organizations, ministries of affairs and members of organizations that attempt to maintain world peace. Researchers have observed a frequent correlation between the threat group’s targets and China’s geopolitical interests.
While Microsoft in 2021 seized 42 websites that were used by APT15, with the aim of cutting off attackers’ access to victims and preventing them from using the sites to execute attacks, this latest activity shows that the takedown has not hindered the group’s overall efforts.
“[APT15] is believed to be a large and well-resourced group, and it appears that exposure of its activity, and even takedowns such as that detailed by Microsoft, have failed to have a significant impact when it comes to stopping the group’s activity,” said researchers.