A Chinese state-level threat actor known as APT15 has been conducting espionage against foreign ministries in North and South America using a new and novel malware. APT15, also known as Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon, has a history of targeting government targets, diplomatic missions, and embassies for intelligence-gathering purposes. In recent years, the group has focused on diplomatic organizations, government organizations, and NGOs.
The latest campaign by APT15 primarily targeted ministries of foreign affairs but also included a government finance department and a corporation. All of the targets were based in the Americas, indicating a shift in focus for the group. Symantec researchers have noted that the region has become more of a priority for APT15 in recent times.
To carry out their espionage activities, APT15 utilized a range of tools, both malicious and otherwise. Among the tools in their arsenal were Mimikatz and its variants, various web shells including AntSword and China Chopper, and CVE-2020-1472, a critical vulnerability in the Windows server process Netlogon. However, the group’s only unique tool was Graphican, a new variant of their Trojan backdoor that is used to execute commands and download files from victim machines.
Graphican stands out from previous versions of APT15’s Trojan backdoor as it does not rely on a hardcoded command-and-control (C2) server. Instead, it utilizes Microsoft Graph, an API for Microsoft 365 services, to retrieve an encrypted server address from a OneDrive folder. Once the connection is established and the victim machine is compromised, Graphican functions similarly to its predecessors, allowing the attackers to create an attacker-controlled command line, create new processes and files, and download files. This similarity in functionality suggests that the group is not overly concerned about being attributed to their activities.
APT15, also known as Flea, Nickel, Vixen Panda, KE3CHANG, Royal APT, and Playful Dragon, has been active for nearly two decades, according to Symantec. In 2021, Microsoft’s Digital Crimes Unit performed a coordinated seizure of APT15’s known infrastructure, but this action did not put an end to the group’s activities. A year later, APT15 returned with a spyware campaign targeting Uyghur populations on a large scale.
Organizations looking to defend against APT15 should consider more than just infection vectors. The group has been known to use phishing emails, exploit public-facing applications, and leverage VPNs to gain initial access to victim networks. However, the consistent use of similar malware by APT15 can be advantageous for defenders. By validating security controls against known patterns and cycles, companies can improve their defenses against this threat actor.
APT groups like APT15 are focused on efficiency, according to Avishai Avivi, CISO at SafeBreach. If a tool proves effective, they will continue to use it until it loses its efficacy or is stopped. Adversaries face the same constraints of time and money in their research and development efforts as companies do.
In conclusion, APT15, a Chinese state-level threat actor, has conducted espionage against foreign ministries in the Americas using a new malware variant. The group, known for targeting government and diplomatic entities, has shifted its focus to the Americas in recent years. By utilizing various tools and a new variant of their Trojan backdoor, APT15 has conducted sophisticated espionage operations. Defending against APT15 requires organizations to consider multiple attack vectors and validate their security controls against known patterns and cycles.