Chinese Hacker Group ‘Flea’ Targets American Ministry with Graphic Backdoor
The foreign ministry in America has been targeted by a named Chinese state-sponsored actor Fleas as part of a recent campaign running from late 2022 to early 2023.
The cyber attack, according to Broadcom’s Symantec, involved a new backdoor codenamed Graphican. Other targets include government finance departments and companies that market products in America and one unspecified victim in a European country.
“Flea uses many tools in this campaign,” the company stated said in a report shared with The Hacker News, described the threat actor as “big and well-resourced.” “As well as the new Graphican backdoor, attackers leverage a variety of live-off-the-land tools, as well as tools previously associated with Flea.”
Flea, also called APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced threat group known to attack governments, diplomatic missions, and embassies since at least 2004.
Earlier this January, the group was implicated as being behind a series of attacks targeting Iranian government entities between July and the end of December 2022.
Then last month, it was revealed that the Kenyan government had been singled out in a three-year intelligence-gathering operation aimed at key state ministries and agencies in the country.
The nation-state crew has also been involved in various Android surveillance campaigns – SilkBeans And BadBazaar – targeting Uyghurs in the People’s Republic of China and overseas, as detailed by Lookout in July 2020 and November 2022, respectively.
Graphican is said to be an evolution of the known Flea backdoor Ketricanfeatures that have been combined with another implant known as Okrum to spawn a new malware dubbed Ketrum.
The backdoor, while functionally the same, differs from Ketrican in leveraging the Microsoft Graph API and OneDrive to get command-and-control (C&C) server details.
“The observed Graphics samples did not have a hardcoded C&C server, instead they connected to OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the ‘Person’ folder,” said Symantec.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
“The malware then decodes the folder name and uses it as a C&C server for the malware.”
It should be noted that Microsoft Graph API and OneDrive abuse has previously been observed in the cases of Russian and Chinese threat actors such as APT28 (aka Sofacy or Swallowtail) and Bad Magic (aka Red Stinger).
Graphics is equipped to request the C&C server to execute new commands, including creating interactive command lines that can be controlled from the server, downloading files to the host, and setting up secret processes to harvest the desired data.
One of the other important tools used in this activity consists of an updated version of the EWSTEW backdoor to extract the emails sent and received on the breached Microsoft Exchange server.
“Flea’s use of the new backdoor demonstrates that the group, despite years of operation, continues to actively develop new tools,” said Symantec. “The group has developed several specialized tools over the years.”
“The similarities in functionality between Graphican and known Ketrican backdoors may indicate that the group cares little about the activities associated with it.”
