Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named Flea as part of a recent campaign that spanned from late 2022 to early 2023.
The cyber attacks, per Broadcom’s Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as well as one unspecified victim in an European country.
“Flea used a large number of tools in this campaign,” the company said in a report shared with The Hacker News, describing the threat actor as “large and well-resourced.” “As well as the new Graphican backdoor, the attackers leveraged a variety of living-off-the-land tools, as well as tools that have been previously linked to Flea.”
Flea, also called APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced persistent threat group that’s known to strike governments, diplomatic missions, and embassies since at least 2004.
Earlier this January, the group was attributed as behind a series of attacks targeting Iranian government entities between July and late December 2022.
Then last month, it emerged that the Kenyan government had been singled out in a far-reaching three-year-long intelligence-gathering operation aimed at key ministries and state institutions in the country.
The nation-state crew has also been implicated in multiple Android surveillance campaigns – SilkBean and BadBazaar – targeting Uyghurs in the People’s Republic of China and abroad, as detailed by Lookout in July 2020 and November 2022, respectively.
Graphican is said to be an evolution of a known Flea backdoor called Ketrican, features from which have since been merged with another implant known as Okrum to spawn a new malware dubbed Ketrum.
The backdoor, despite having the same functionality, stands apart from Ketrican for making use of Microsoft Graph API and OneDrive to obtain the details of command-and-control (C&C) server.
“The observed Graphican samples did not have a hardcoded C&C server, rather they connected to OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the “Person” folder,” Symantec said.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
“The malware then decoded the folder name and used it as a C&C server for the malware.”
It’s worth pointing out that the abuse of Microsoft Graph API and OneDrive has been previously observed in the case of both Russian and Chinese threat actors like APT28 (aka Sofacy or Swallowtail) and Bad Magic (aka Red Stinger).
Graphican is equipped to poll the C&C server for new commands to run, including creating an interactive command line that can be controlled from the server, download files to the host, and set up covert processes to harvest data of interest.
One among the other noteworthy tools used in the activity comprise an updated version of the EWSTEW backdoor to extract sent and received emails on breached Microsoft Exchange servers.
“The use of a new backdoor by Flea shows that this group, despite its long years of operation, continues to actively develop new tools,” Symantec said. “The group has developed multiple custom tools over the years.”
“The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it.”