Cyber Security Threat Summary:
“Today, the Threat Hunter Team at Symantec, part of Broadcom, reports that APT15's latest campaign targets foreign affairs ministries in Central and South American countries. The researchers report that the new Graphican backdoor is an evolution of an older malware used by the hackers rather than a tool created from scratch. It is notable for using Microsoft Graph API and OneDrive to stealthily obtain its command and control (C2) infrastructure addresses in encrypted form, giving it versatility and resistance against take-downs. Graphican, the new backdoor utilized by the Chinese APT15 hacking group, carries out a series of operations on infected devices. These include disabling Internet Explorer 10's first-run wizard, verifying the status of the 'iexplore.exe' process, and constructing a global IWebBrowser2 COM object for internet access. Graphican also authenticates with Microsoft Graph API, enumerates files and folders in the "Person" OneDrive directory, decrypts the first folder's name for use as a command and control (C&C) server, and generates a unique Bot ID. The backdoor registers the bot with the C&C server and regularly checks for new commands to execute, enabling threat actors to carry out various actions such as launching programs and downloading files. APT15 utilizes various command and control (C&C) commands in their operations. These commands include creating an interactive command line ('C'), creating files on remote computers ('U'), downloading files from remote computers to the C&C server ('D'), creating new processes with hidden windows ('N'), and creating new PowerShell processes with hidden windows and saving results in temporary files ('P'). Additionally, Symantec's researchers have observed other tools employed by APT15 in their latest campaign” (BleepingComputer, 2023). Security Officer Comments:
The particular threat group uses phishing emails as an initial infection vector; however, they are also known for exploiting vulnerable internet-exposed endpoints and using VPNs as an initial access vector. Between late 2022 and early 2023, APT15 targeted foreign affairs ministries in Central and South American countries. APT15, active since at least 2004, has a history of targeting important public and private organizations worldwide. The Graphican backdoor, an evolution of their previous malware, utilizes Microsoft Graph API and OneDrive for stealthy command and control (C2) communication. Suggested Correction(s):
CISA has ordered federal agencies to restrict access to internet-exposed networking equipment in response to increasing attacks exploiting vulnerabilities, private companies should do the same. Mitigation measures against phishing attacks include security awareness training, email filtering, multi-factor authentication, strong passwords, phishing simulations, software updates, incident response, website encryption, monitoring, and promoting a security-conscious culture, enhancing resilience against phishing. Link(s):
https://www.bleepingcomputer.com/