Home Security Chinese language Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor

Chinese language Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor

by crpt os


Jun 21, 2023Ravie LakshmananCyber Threat / APT

Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named Flea as part of a recent campaign that spanned from late 2022 to early 2023.

The cyber attacks, per Broadcom’s Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as well as one unspecified victim in an European country.

“Flea used a large number of tools in this campaign,” the company said in a report shared with The Hacker News, describing the threat actor as “large and well-resourced.” “As well as the new Graphican backdoor, the attackers leveraged a variety of living-off-the-land tools, as well as tools that have been previously linked to Flea.”

Flea, also called APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced persistent threat group that’s known to strike governments, diplomatic missions, and embassies since at least 2004.

Cybersecurity

Earlier this January, the group was attributed as behind a series of attacks targeting Iranian government entities between July and late December 2022.

Then last month, it emerged that the Kenyan government had been singled out in a far-reaching three-year-long intelligence-gathering operation aimed at key ministries and state institutions in the country.

The nation-state crew has also been implicated in multiple Android surveillance campaigns – SilkBean and BadBazaar – targeting Uyghurs in the People’s Republic of China and abroad, as detailed by Lookout in July 2020 and November 2022, respectively.

Graphican is said to be an evolution of a known Flea backdoor called Ketrican, features from which have since been merged with another implant known as Okrum to spawn a new malware dubbed Ketrum.

The backdoor, despite having the same functionality, stands apart from Ketrican for making use of Microsoft Graph API and OneDrive to obtain the details of command-and-control (C&C) server.

“The observed Graphican samples did not have a hardcoded C&C server, rather they connected to OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the “Person” folder,” Symantec said.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

“The malware then decoded the folder name and used it as a C&C server for the malware.”

It’s worth pointing out that the abuse of Microsoft Graph API and OneDrive has been previously observed in the case of both Russian and Chinese threat actors like APT28 (aka Sofacy or Swallowtail) and Bad Magic (aka Red Stinger).

Graphican is equipped to poll the C&C server for new commands to run, including creating an interactive command line that can be controlled from the server, download files to the host, and set up covert processes to harvest data of interest.

One among the other noteworthy tools used in the activity comprise an updated version of the EWSTEW backdoor to extract sent and received emails on breached Microsoft Exchange servers.

“The use of a new backdoor by Flea shows that this group, despite its long years of operation, continues to actively develop new tools,” Symantec said. “The group has developed multiple custom tools over the years.”

“The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex