APT15 Resumes Operations with New Malware

Category: Threat Actor Activity | Industry: Government | Source: Symantec

Threat activity from the Chinese espionage group APT15 (aka Flea, Nickel) has resumed, with an attribution of a targeted threat campaign against foreign affairs ministries in the Western region. Researchers from Symantec's Threat Hunter Team report on APT15's activity, observing their latest campaign running between late 2022 and the beginning of 2023. At that time, government entities in the Americas served as the primary targets, including sub-divisions such as financial units, which were also within the scope of APT15's attacks. "Flea has a track record of honing in on government targets, diplomatic missions, and embassies, likely for intelligence-gathering purposes," as reported by Symantec.

APT15 was observed utilizing a wide range of tools, including a new Graphican backdoor, multiple living-off-the-land, and reusing other resources previously attributed to APT15. The Graphican backdoor is analyzed as an advancement of APT15's previous backdoor, Ketrican, retaining its core functionalities. Still, a key difference is that it acquires its command-and-control (C2) infrastructure by utilizing Microsoft Graph API and OneDrive. Based on the samples of Graphican reviewed by Symantec, Graphican did not possess a hardcoded command and control (C2) server. Instead, Graphican connects to "OneDrive via the Microsoft Graph API to get the encrypted C&C server address from a child folder inside the "Person" folder." Along with the remote command execution capabilities of Graphican, other notable tools and techniques used by APT15 include Mimikatz, Pypykatz, Safetykatz, Lazagne, China Chopper and Godzilla web shells, exploitation of ZeroLogon, CVE-2020-1472, and other open-source tools.

APT15 has been tracked as operating since 2004. However, in December 2021, Microsoft seized 42 domains used by the group leading to a period of relative inactivity, although a campaign was linked to APT15 by Lookout in November 2022. Despite the takedown effort, APT15's recent actions demonstrate their resilience and ability to recover from setbacks. As a result, they have shown signs of resuming their operations, targeting victims with the same victimology previously associated with the group.