Chinese state-level threat actor APT15, also known as Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon, has been found using a novel malware to conduct espionage against foreign ministries in North and South America between late 2022 and early 2023. APT15 has a history of targeting government entities, diplomatic missions, and embassies, likely for intelligence-gathering purposes, according to a June 21 blog post by Symantec researchers. The group has also been known to target diplomatic organizations, government organizations, and NGOs. The latest campaign primarily focused on ministries of foreign affairs, but also included a government finance department and a corporation, all based in the Americas. Researchers noted that this region seems to have become more of a focus for the group recently.
To carry out their espionage, APT15 employed over a dozen tools, both malicious and non-malicious. Among its arsenal were Mimikatz and its two variants, four Web shells including AntSword and China Chopper, and CVE-2020-1472, a three-year-old but CVSS 10.0 "Critical" privilege escalation vulnerability in the Windows server process Netlogon. The attackers' only unique tool was Graphican, a new variant of its old Trojan backdoor, used to run commands and download files from victim machines. Avishai Avivi, CISO at SafeBreach, notes that "This backdoor has evolved some of its anti-detection mechanisms." However, he also points out that threat actors often use the same techniques, allowing companies to test their defenses proactively.
Graphican is an iteration of APT15's other Trojan backdoor, Ketrican, which itself evolved from their earlier model, BS2005. Graphican distinguishes itself by not using a typical, hardcoded command-and-control (C2) server. Instead, it employs Microsoft Graph, an API for Microsoft 365 services, to retrieve an encrypted server address from a OneDrive folder. Once the connection is established and the machine compromised, Graphican possesses the same basic functionalities as its predecessor, such as creating an attacker-controlled command line on the victim machine, creating new processes and files, and downloading files. Researchers speculate that "The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it." Avivi, however, sees it differently, stating that "The reality is that APT groups are really looking for efficiency." He explains that if a tool is proven effective for launching attacks or opening backdoors, threat actors will continue using it until it loses its efficacy or is stopped.
Symantec reports that APT15 has been active for nearly two decades, with its most significant impact in recent years. In 2021, Microsoft's Digital Crimes Unit performed a coordinated seizure of its known infrastructure. However, this action was not enough to stop APT15, which returned a year later with a spyware campaign targeting Uyghur populations en masse. To defend against APT15, organizations may not want to focus solely on infection vectors, as the group has been known to use phishing emails, exploit public-facing applications, and use VPNs to gain initial access to victim networks. Avivi suggests that the consistency in APT15's malware can be beneficial to defenders, as validating security controls against known patterns and cycles can help companies better defend against these threat actors.