The Flea (APT15) group deployed a new backdoor called Graphican to target foreign ministries in the Americas during late 2022 to early 2023, expanding its toolkit for intelligence-gathering campaigns. Graphican uses Microsoft Graph API and OneDrive for its C2 infrastructure and demonstrates ongoing development of Flea’s tools, including multiple living-off-the-land utilities and public credential tools. #Graphican #Flea
Keypoints
- Flea (also known as APT15 or Nickel) introduced Graphican, a new backdoor, in a campaign primarily targeting foreign ministries in the Americas.
- Graphican is an evolution of Ketrican/BS2005 and uses Microsoft Graph API and OneDrive to obtain and dynamically change its C2 server address.
- The malware enumerates the OneDrive “Person” folder, decrypts the first subfolder name to obtain the C2 server, and generates a Bot ID from host/system data.
- Graphican disables IE first-run UI via registry keys, checks for iexplore.exe, and uses a global IWebBrowser2 COM object to access the internet.
- Commands supported by Graphican include interactive C2 shell (C), remote file creation (U), file download (D), hidden process creation (N), and hidden PowerShell execution (P).
- In addition to Graphican, Flea leverages a wide set of tools (EWSTEW, Mimikatz, Lazagne, web shells, CVE-2020-1472 exploit, etc.) to broaden its capabilities and persistence.
MITRE Techniques
- [T1071.001] Web Protocols – Graphican uses the Microsoft Graph API and OneDrive to obtain its C2 infrastructure. “The most noteworthy thing about Graphican itself is the abuse of the Microsoft Graph API and OneDrive to obtain its C&C server.”
- [T1083] File and Directory Discovery – Graphican enumerates the child files and folders inside the “Person” folder in OneDrive. “Using the Graph API it enumerates the child files and folders inside the “Person” folder in OneDrive.”
- [T1140] Deobfuscate/Decode Files or Information – Graphican decrypts the first folder name to use as a C2 server. “obtains the name of the first folder and decrypts it to use it as a C&C server.”
- [T1112] Modify Registry – Graphican disables Internet Explorer first-run wizard and welcome page via registry keys. “Disables the Internet Explorer 10 first run wizard and welcome page via registry keys.”
- [T1082] System Information Discovery – Bot ID is generated from hostname, local IP, Windows version, language, and architecture. “Generates a Bot ID based on the hostname, local IP, Windows version, the system default language identifier, and the process bitness…”
- [T1059.003] Windows Command Shell – C command creates an interactive command line controlled from the C2 server. “C — Creates an interactive command line that is controlled from the C&C server.”
- [T1059.001] PowerShell – P command creates a new PowerShell process with a hidden window and sends results back to C2. “P — Creates a new PowerShell process with a hidden window and saves the results in a temporary file in the TEMP folder and sends the results to the C&C server.”
- [T1566] Phishing – Flea traditionally used email as an initial infection vector. “Flea traditionally used email as an initial infection vector…”
- [T1190] Exploit Public-Facing Application – There are reports of Flea exploiting public-facing applications to gain initial access. “reports of it exploiting public-facing applications…”
- [T1068] Exploitation for Privilege Escalation – Use of CVE-2020-1472 to escalate privileges. “Exploit of CVE-2020-1472 …”
- [T1003] Credential Dumping – Use of Mimikatz, Pypykatz, Safetykatz to dump credentials from memory. “Mimikatz, Pypykatz, Safetykatz … credential-dumping tool.”
Indicators of Compromise
- [Domain] No explicit IOCs (domains) listed in the article – none provided
- [IP] No explicit IOCs (IPs) listed in the article – none provided
- [File hash] No explicit IOCs (hashes) listed in the article – none provided
- [File name] No explicit IOCs (file names) listed in the article – none provided