The Threat Hunter Team at Symantec, part of Broadcom, detailed a new campaign by a China-linked threat actor that targets foreign affairs ministries in Central and South American countries with a novel backdoor dubbed “Graphican.”

The threat actor, also known in the cybersecurity community as Flea, APT15, Nickel, Flea, Ke3Chang, and Vixen Panda, has been in operation since at least 2004, largely focusing on government targets, diplomatic missions, and embassies worldwide, likely for intelligence-gathering purposes.

The group has been observed using various malware implants and custom backdoors such as RoyalCLI and RoyalDNS, Okrum, Ketrum, and Android spyware named SilkBean and Moonshine.

In the latest campaign analyzed by Symantec, the threat actor used a large number of tools, including living-off-the-land tools and the new Graphican backdoor, which is said to be an evolution of their custom backdoor Ketrican.

Graphican has the same basic functionality as Ketrican, but, unlike the latter, uses the Microsoft Graph API and OneDrive to obtain its command-and-control (C&C) infrastructure.

Upon infecting the targeted machine, the malware disables the Internet Explorer 10 first run wizard and welcome page via registry keys, creates a global IWebBrowser2 COM object to access the internet, authenticates to the Microsoft Graph API to get a valid access token and a refresh_token, as well as performs other activities.

“The observed Graphican samples did not have a hardcoded C&C server, rather they connected to OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the "Person" folder,” the researchers noted.

Besides Graphican, the group used a variety of other tools such as the EWSTEW backdoor, the Mimikatz credential-dumping tool and its variations Pupykatz and Safetykatz, web shells (AntSword, Behinder, China Chopper, and Godzilla). Symantec said it also saw a slew of open-source and publicly available software programs used for retrieving passwords (Lasagne), dump various types of Windows credentials (Quarks PwDump), privilege escalation, password cracking, a scanning tool, and vulnerability utilization (K8Tools).

The attackers also utilized an exploit for an elevation of privilege vulnerability (CVE-2020-1472) in Netlogon.

“The use of a new backdoor by Flea shows that this group, despite its long years of operation, continues to actively develop new tools. The group has developed multiple custom tools over the years. The similarities in functionality between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it,” Symantec said.