• United States



Apurva Venkat
Special Correspondent

China-sponsored APT group targets government ministries in the Americas

Jun 22, 20234 mins
Advanced Persistent Threats

China-sponsored APT group Flea ran a malware campaign against ministries of foreign affairs in North and South America using a new backdoor d믭 Graphican, according to the Symantec Threat Hunter Team.

VMware: Why CISOs Are Looking to Lateral Security to Mitigate Ransomware
Credit: VMware

An advanced persistent threat (APT) group named Flea has been carrying out attacks against foreign affairs ministries in North and South America using a new backdoor called Graphican, according to a report by the Symantec Threat Hunter Team.

The campaign ran from late 2022 into early 2023. It also targeted a government finance department in a country in the Americas and a corporation that sells products in Central and South America. There was also one victim based in a European country, according to the report.

Flea, also known as APT15 and Nickel, is widely believed to be a China-sponsored APT group and has a track record of homing in on government targets, diplomatic missions, and embassies, likely for intelligence-gathering purposes, according to the Symantec report

Graphican evolved from the Flea backdoor Ketrican, which was based on a previous malware -- BS2005. The similarities in functionality between Graphican and Ketrican indicate that the group is not very concerned about having activity attributed to it, Symantec said.

"Graphican has the same basic functionality as Ketrican, with the difference between them being Graphican's use of the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure," Symantec said in the report. 

The samples of Graphican analyzed by Symantec revealed that the backdoor did not have a hard-coded command and control server, rather it connected to OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the Person folder. The backdoor then decoded the folder name and used it as a C&C server for the malware. 

"All instances of this variant used the same parameters to authenticate to the Microsoft Graph API," Symantec said, adding that they assume they all have the same C&C, which can be dynamically changed by the threat actors.

Technique previously used by Russian APT

Graphican can create an interactive command line that can be controlled from the server, downloading files to the host, and setting up covert processes to harvest data of interest. This technique was used earlier by the Russian state-sponsored APT group Swallowtail in a campaign in 2022 to deliver the Graphite malware.

"Once a technique is used by one threat actor, we often see other groups follow suit, so it will be interesting to see if this technique is something we see being adopted more widely by other APT groups and cybercriminals," Symantec said in its report. 

Flea has been in operation since at least 2004. Initially, it used email as the initial infection vector, but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks. 

"The goal of the group does seem to be to gain persistent access to the networks of victims of interest for the purposes of intelligence gathering," Symantec said.

In January, Flea compromised the networks of four Iranian government organizations, including Iran's Ministry of Foreign Affairs, using a new version of the Turian malware. In 2012, Flea targeted the Syrian Ministry of Foreign Affairs, and the US Department of State in 2013. 

In December 2021, Microsoft seized 42 domains in the US used by the group for its attacks targeting 29 countries. 

"The use of a new backdoor by Flea shows that this group, despite its long years of operation, continues to actively develop new tools," Symantec said. 

Apurva Venkat
Special Correspondent

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld. She has previously worked at ISMG, IDG India, Bangalore Mirror, and Business Standard, where she reported on developments in technology, businesses, startups, fintech, e-commerce, cybersecurity, civic news, and education.

More from this author