China-sponsored APT group targets government ministries in the Americas

An advanced persistent threat (APT) group named Flea has been carrying out attacks against foreign affairs ministries in North and South America using a new backdoor called Graphican, according to a report by the Symantec Threat Hunter Team.

The campaign ran from late 2022 into early 2023. It also targeted a government finance department in a country in the Americas and a corporation that sells products in Central and South America. There was also one victim based in a European country, according to the report.

Flea, also known as APT15 and Nickel, is widely believed to be a China-sponsored APT group and has a track record of homing in on government targets, diplomatic missions, and embassies, likely for intelligence-gathering purposes, according to the Symantec report. 

Graphican evolved from the Flea backdoor Ketrican, which was based on a previous malware -- BS2005. The similarities in functionality between Graphican and Ketrican indicate that the group is not very concerned about having activity attributed to it, Symantec said.

"Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican's use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure," Symantec said in the report. 

The samples of Graphican analyzed by Symantec revealed that the backdoor did not have a hard-coded command and control server, rather it connected to OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the Person folder. The backdoor then decoded the folder name and used it as a C&C server for the malware. 

"All instances of this variant used the same parameters to authenticate to the Microsoft Graph API," Symantec said, adding that they assume they all have the same C&C, which can be dynamically changed by the threat actors.

Technique previously used by Russian APT

Graphican can create an interactive command line that can be controlled from the server, downloading files to the host, and setting up covert processes to harvest data of interest. This technique was used earlier by the Russian state-sponsored APT group Swallowtail in a campaign in 2022 to deliver the Graphite malware.

"Once a technique is used by one threat actor, we often see other groups follow suit, so it will be interesting to see if this technique is something we see being adopted more widely by other APT groups and cybercriminals," Symantec said in its report. 

Flea has been in operation since at least 2004. Initially, it used email as the initial infection vector, but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks. 

"The goal of the group does seem to be to gain persistent access to the networks of victims of interest for the purposes of intelligence gathering," Symantec said.

In January, Flea compromised the networks of four Iranian government organizations, including Iran's Ministry of Foreign Affairs, using a new version of the Turian malware. In 2012, Flea targeted the Syrian Ministry of Foreign Affairs, and the US Department of State in 2013. 

In December 2021, Microsoft seized 42 domains in the US used by the group for its attacks targeting 29 countries. 

"The use of a new backdoor by Flea shows that this group, despite its long years of operation, continues to actively develop new tools," Symantec said.