Researchers observed state-sponsored threat group APT15 using a new backdoor dubbed `Graphican`. The Chinese hackers used the new malware in a campaign targeting foreign affairs ministries in the Americas, between 2022 – 2023.
According to security researchers, among the other targets were a government finance department, a corporation that markets products in the Americas, and an unknown victim in Europe.
APT15 also goes under the name of Flea, BackdoorDiplomacy, ke3chang, Nylon Typhoon, Playful Taurus, Royal APT, or Vixen Panda. It is an advanced persistent threat group that specialized in targeting governments and diplomatic missions.
More about the New `Graphican` Malware
Security specialists claim the new backdoor is an evolved version of Ketrican, an older APT15 malware.
Graphican can be used to collect a variety of data from compromised devices: hostname, local IP, Windows version, and system default language identifier. It also connects to the command-and-control (C2) for further commands to execute.
The list of commands that Graphican can receive from its C2 and execute includes:
- creating an interactive command line
- creating a file on the remote computer
- exfiltrating data from the remote computer to the C&C server
- creating a new PowerShell process with a hidden window
However, unlike Ketrican, Graphican abuses Microsoft’s Graph API platform and OneDrive features to gain its C2 infrastructure, instead of using a hardcoded C2 server.
This makes the malware harder to detect on the victim’s network. Because it only connects to Microsoft domains, it can easily evade traffic monitoring.
Graphican is equipped to poll the C&C server for new commands to run, including creating an interactive command line that can be controlled from the server, download files to the host, and set up covert processes to harvest data of interest.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.