A Chinese state-sponsored hacking group, commonly known as APT15 or by aliases such as Nickel, Flea, Ke3Chang, and Vixen Panda, has recently been observed conducting a new campaign utilizing a unique backdoor called “Graphican” between late 2022 and early 2023.
With a history dating back to at least 2004, APT15 has gained notoriety for targeting significant public and private organizations worldwide. Over the years, they have employed various malware implants and custom backdoors, such as RoyalCLI, RoyalDNS, Okrum, Ketrum, as well as Android spyware named SilkBean and Moonshine. The Threat Hunter Team at Symantec, a division of Broadcom, has now revealed that APT15″s latest campaign is specifically focused on foreign affairs ministries in Central and South American countries. This development highlights the ongoing activities of the hacking group and their continued interest in targeting sensitive government entities.
Researchers have discovered that the newly identified Graphican backdoor is not an entirely new creation but rather an evolved version of a previously used malware by the APT15 hacking group. Graphican stands out for its utilization of Microsoft Graph API and OneDrive, enabling it to covertly obtain encrypted command and control (C&C) infrastructure addresses. This approach grants the malware flexibility and resistance against takedown efforts.
The operation of Graphican on an infected device involves the following steps:
Disabling Internet Explorer version 10 first-run wizard and welcome page through registry modifications.
Verifying the activity of the iexplore.exe process.
Establishing a global IWebBrowser2 COM object for internet access.
Authenticating with Microsoft Graph API to obtain a valid access token and refresh_token.
Enumerating child files and folders within the “Person” folder on OneDrive, leveraging the Graph API.
Decrypting the name of the first folder to serve as the C&C server address.
Generating a unique Bot ID based on the host name, local IP, Windows version, default language identifier, and process bitness (32/64-bit).
Registering the bot with the C&C server using a specific format string containing collected victim computer data.
Regularly checking the C&C server for new commands to execute.
When connecting to the C&C server, threat actors can issue various commands to be executed on the infected devices. These commands include launching programs and downloading new files.
The complete list of commands that the C&C can send for execution by Graphican are as follows:
“C”: Creates an interactive command line controlled from the C&C server.
“U”: Creates a file on the remote computer.
“D”: Downloads a file from the remote computer to the C&C server.
“N”: Creates a new process with a hidden window.
“P”: Creates a new PowerShell process with a hidden window, saves the results in a temporary file in the TEMP folder, and sends the results to the C&C server.
Additionally, Symantec researchers have identified several other tools employed by APT15 in their latest campaign, including:
EWSTEW: A custom APT15 backdoor for extracting emails from infected Microsoft Exchange servers.
Mimikatz, Pypykatz, Safetykatz: Publicly available credential-dumping tools that exploit Windows single sign-on to extract secrets from memory.
Lazagne: An open-source tool capable of retrieving passwords from multiple applications.
Quarks PwDump: A tool that dumps various types of Windows credentials, documented since 2013.
SharpSecDump: A .NET port of Impacket”s secretsdump.py, used to dump remote SAM and LSA secrets.
K8Tools: A toolset featuring privilege escalation, password cracking, scanning, vulnerability utilization, and system exploits.
EHole: Used for identifying vulnerable systems.
Web shells: AntSword, Behinder, China Chopper, Godzilla, providing backdoor access to compromised systems.
CVE-2020-1472 exploit: Exploitation of the Netlogon Remote Protocol”s elevation of privilege vulnerability.
In conclusion, APT15″s recent activities and the reemergence of its custom backdoor highlight the persistent threat posed by this Chinese hacking group to organizations worldwide. Their continuous improvement of tools and efforts to enhance operational stealth demonstrate the need for heightened vigilance and cybersecurity measures. The identified threat group employs phishing emails as one of its primary methods to initiate an infection. However, it is worth noting that they are also recognized for exploiting vulnerable internet-exposed endpoints and leveraging Virtual Private Networks (VPNs) as an initial access vector.
In addition to employing deceptive email campaigns to deceive victims into opening malicious attachments or clicking on malicious links, the threat actors associated with this group actively search for internet-exposed systems with vulnerabilities that can be exploited. By identifying weaknesses in these endpoints, they can gain unauthorized access to networks and systems.
It is strongly recommended not to download and install any kind of software from unknown sources as it poses a greater risk of installing malware.
It is advisable to install the latest updates and patches including operating system and other software application updates as they provide critical security features.
Do not click or open any attachments in emails or text messages from unknown senders.
Install reputable malware software from trusted sources such as Kaspersky and run scheduled scans to keep your device malware free.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
Toulas, B. (2023, June 21). Chinese APT15 hackers resurface with new Graphican malware. Bleeping Computer. Retrieved from:
Brooks, R. (2019, June 12). How to Prevent Malware Attacks: 10 Security TIPS. Netwrix. Retrieved from: