Heimdal
Home > Cybersecurity News

Chinese Hackers APT15 Use New Backdoor Malware to Target American Ministries

Researchers Say Graphican Is an Evolution of an Older Malware.

Last updated on June 21, 2023

article featured image

Contents:

Researchers observed state-sponsored threat group APT15 using a new backdoor dubbed `Graphican`. The Chinese hackers used the new malware in a campaign targeting foreign affairs ministries in the Americas, between 2022 – 2023.

According to security researchers, among the other targets were a government finance department, a corporation that markets products in the Americas, and an unknown victim in Europe.

APT15 also goes under the name of Flea, BackdoorDiplomacy, ke3chang, Nylon Typhoon, Playful Taurus, Royal APT, or Vixen Panda. It is an advanced persistent threat group that specialized in targeting governments and diplomatic missions.

More about the New `Graphican` Malware

Security specialists claim the new backdoor is an evolved version of Ketrican, an older APT15 malware.

Graphican can be used to collect a variety of data from compromised devices: hostname, local IP, Windows version, and system default language identifier. It also connects to the command-and-control (C2) for further commands to execute.

The list of commands that Graphican can receive from its C2 and execute includes:

  • creating an interactive command line
  • creating a file on the remote computer
  • exfiltrating data from the remote computer to the C&C server
  • creating a new PowerShell process with a hidden window

However, unlike Ketrican, Graphican abuses Microsoft’s Graph API platform and OneDrive features to gain its C2 infrastructure, instead of using a hardcoded C2 server.

This makes the malware harder to detect on the victim’s network. Because it only connects to Microsoft domains, it can easily evade traffic monitoring.

Graphican is equipped to poll the C&C server for new commands to run, including creating an interactive command line that can be controlled from the server, download files to the host, and set up covert processes to harvest data of interest.

Source

 

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

Command-and-Control Servers Explained. Techniques and DNS Security RisksBackdoorDiplomacy Is Going after Iranian Government EntitiesWhat Is Malware? Definition, Types and ProtectionNetwork Security 101 – Definition, Types, Threats, and MoreWhat Is a Data Breach and How to Prevent ItAdvanced Persistent Threat (APT): What It Is and How to Protect against ItWhat Is Network Monitoring?

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V