The Chinese hackers which are tracked as APT15 are involved in a new campaign that uses a backdoor with the name “Graphican“. The campaign was active from late 2022 to early 2023.
Graphican backdoor
The team of researchers suggests that the Graphican backdoor represents an evolved version of an older malware previously utilized by the hackers, rather than a fresh creation. Its noteworthy attributes include the use of Microsoft Graph API and OneDrive to subtly retrieve its command and control (C2) infrastructure addresses in an encrypted format, thereby ensuring versatility and resilience against potential disruptions.
The full suite of commands that the C2 can dispatch for execution by Graphican encompasses:
‘C’ — Establish an interactive command line controlled by the C&C server
‘U’ — Generate a file on the remote computer
‘D’ — Transfer a file from the remote computer to the C&C server
‘N’ — Initiate a new process with a concealed window
‘P’ — Launch a new PowerShell process with a hidden window, store the results in a temporary file in the TEMP folder, and transfer the results to the C&C server
Different instruments Symantec’s researchers noticed in APT15’s newest marketing campaign are:
- EWSTEW – Customized APT15 backdoor extracting emails from contaminated Microsoft Trade servers.
- Mimikatz, Pypykatz, Safetykatz – Publicly out there credential-dumping instruments that exploit Home windows single sign-on to extract secrets and techniques from reminiscence.
- Lazagne – An open-source device capable of retrieve passwords from a number of functions.
- Quarks PwDump – Dumps several types of Home windows credentials. Documented since 2013.
- SharpSecDump – A .Web port of Impacket’s secretsdump.py, used for dumping distant SAM and LSA secrets and techniques.
- K8Tools – A toolset that includes privilege escalation, password cracking, scanning, vulnerability utilization, and varied system exploits.
- EHole – Weak methods identification.
- Net shells – AntSword, Behinder, China Chopper, Godzilla, giving the hackers backdoor entry to the breached methods.
- CVE-2020-1472 exploit – Elevation of privilege vulnerability affecting the Netlogon Distant Protocol.
In conclusion, the latest exercise of APT15 and the refresh of its customized backdoor reveals that the Chinese language hacking group stays a menace to organizations worldwide, bettering its instruments and dealing on making its operations stealthier.
Indicators of Compromise
IOCS captured by symantec blog :
| OC | Description |
| SHA256 file hashes | |
| 4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5 | Backdoor.Graphican |
| a78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8 | Backdoor.Graphican |
| 02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5 | Backdoor.Graphican |
| 617589fd7d1ea9a228886d2d17235aeb4a68fabd246d17427e50fb31a9a98bcd | Backdoor.Ketrican |
| 858818cd739a439ac6795ff2a7c620d4d3f1e5c006913daf89026d3c2732c253 | Backdoor.Ketrican |
| fd21a339bf3655fcf55fc8ee165bb386fc3c0b34e61a87eb1aff5d094b1f1476 | Backdoor.Ketrican |
| 177c4722d873b78b5b2b92b12ae2b4d3b9f76247e67afd18e56d4e0c0063eecf | Backdoor.Ketrican |
| 8d2af0e2e755ffb2be1ea3eca41eebfcb6341fb440a1b6a02bfc965fe79ad56b | Backdoor.Ketrican |
| f98bd4af4bc0e127ae37004c23c9d14aa4723943edb4622777da8c6dcf578286 | Backdoor.Ketrican |
| 865c18480da73c0c32a5ee5835c1cfd08fa770e5b10bc3fb6f8b7dce1f66cf48 | Backdoor.Ketrican |
| d30ace69d406019c78907e4f796e99b9a0a51509b1f1c2e9b9380e534aaf5e30 | Backdoor.Ketrican |
| bf4ed3b9a0339ef80a1af557d0f4e031fb4106a04b0f72c85f7f0ff0176ebb64 | EWSTEW |
| 5600a7f57e79acdf711b106ee1c360fc898ed914e6d1af3c267067c158a41db6 | EWSTEW |
| f06692b482d39c432791acabb236f7d21895df6f76e0b83992552ab5f1b43c8d | EWSTEW |
| af4a10cbe8c773d6b1cfb34be2455eb023fb1b0d6f0225396920808fefb11523 | EWSTEW |
| 548ce27996e9309e93bf0bd29c7871977530761b2c20fc7dc3e2c16c025eb7bc | EWSTEW |
| 9829c86fab4cbccb5168f98dcb076672dc6d069ddb693496b463ad704f31722e | EWSTEW |
| 18560596e61eae328e75f4696a3d620b95db929bc461e0b29955df06bc114051 | Mimikatz |
| f6f57fc82399ef3759dcbc16b7a25343dea0b539332dacdf0ed289cc82e900db | Mimikatz |
| df6a740b0589dbd058227d3fcab1f1a847b4aa73feab9a2c157af31d95e0356f | Mimikatz |
| c559eb7e2068e39bd26167dd4dca3eea48e51ad0b2c7631f2ed6ffcba01fb819 | Pypykatz |
| 7d93862c021d56b4920cab5e6cb30a2d5fb21478e7158f104e520cc739a1678d | Pypykatz |
| 17a63ccd749def0417981c42b0765f7d56e6be3092a1f282b81619ca819f82ef | Pypykatz |
| b42f9571d486a8aef5b36d72c1c8fff83f29cac2f9c61aece3ad70537d49b222 | Safetykatz |
| bff65d615d1003bd22f17493efd65eb9ffbfe9a63668deebe09879982e5c6aa8 | CVE-2020-1472 |
| ed2f501408a7a6e1a854c29c4b0bc5648a6aa8612432df829008931b3e34bf56 | Lazagne |
| e7a6997e32ca09e78682fc9152455edaa1f9ea674ec51aecd7707b1bbda37c2f | Pwdump |
| 07fc745c29db1e2db61089d8d46299078794d7127120d04c07e0a1ea6933a6df | Pwdump |
| 42379bb392751f6a94d08168835b67986c820490a6867c28a324a807c49eda3b | Pwdump |
| a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86 | Pwdump |
| e25cc57793f0226ff31568be1fce1e279d35746016fc086a6f67734d26e305a0 | Pwdump |
| 617af8e063979fe9ca43479f199cb17c7abeab7bfe904a2baf65708df8461f6d | Pwdump |
| dc2423e21752f431ce3ad010ce41f56914e414f5a88fd3169e78d4cc08082f7b | Pwdump |
| f653e93adf00cf2145d4bfa00153ae86905fe2c2d3c1f63e8f579e43b7069d51 | Pwdump |
| 65436d5646c2dbb61607ed466132302f8c87dab82251f9e3f20443d5370b7806 | Hadmad |
| 44c1c5c92771c0384182f72e9866d5fed4fda896d90c931fe8de363ed81106cf | Hadmad |
| 7fa350350fc1735a9b6f162923df8d960daffb73d6f5470df3c3317ae237a4e6 | AntswordLoader |
| 9a94483a4563228cb698173c1991c7cf90726c2c126a3ce74c66ba226040f760 | BehinderWebshell |
| f4575af8f42a1830519895a294c98009ffbb44b20baa170a6b5e4a71fd9ba663 | BehinderWebshell |
| 2da9a09a14c52e3f3d8468af24607602cca13bc579af958be9e918d736418660 | JSPWebshell |
| d21797e95b0003d5f1b41a155cced54a45cd22eec3f997e867c11f6173ee7337 | PHPWebshell |
| 31529b8b86d4b6a99d8f3b5f4b1f1b67f3c713c11b83b71d8df7d963275c5203 | China Chopper |
| 7d3f6188bfdde612acb17487da1b0b1aaaeb422adc9e13fd7eb61044bac7ae08 | Sharpsecdump |
| 2b60e49e85b21a439855b5cb43cf799c1fb3cc0860076d52e41d48d88487e6d8 | Sharpsecdump |
| 819d0b70a905ae5f8bef6c47423964359c2a90a168414f5350328f568e1c7301 | K8Tools |
| 7aa10e5c59775bfde81d27e63dfca26a1ec38065ddc87fe971c30d2b2b72d978 | EHole |
| Network Indicators | |
| 172.104.244[.]187 | |
| 50.116.3[.]164 | |
| www.beltsymd[.]org | |
| www.cyclophilit[.]com | |
| www.cyprus-villas[.]org | |
| www.perusmartcity[.]com | |
| www.verisims[.]com |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment