A recent report by the Symantec Threat Hunter Team has revealed that an advanced persistent threat (APT) group known as Flea has been conducting attacks on foreign affairs ministries in North and South America. The group has been using a new backdoor called Graphican to carry out their malicious activities.
The campaign, which took place from late 2022 to early 2023, targeted not only foreign affairs ministries but also a government finance department in a country in the Americas and a corporation selling products in Central and South America. Interestingly, there was also one victim based in a European country, indicating the global reach of the APT group.
Flea, also known as APT15 and Nickel, is widely believed to be a China-sponsored APT group. The group has a history of targeting government entities, diplomatic missions, and embassies, likely for the purpose of intelligence gathering. Graphican is an evolution of the Flea backdoor Ketrican, which was based on a previous malware named BS2005. Both Graphican and Ketrican share similar functionality, suggesting that the APT group is not very concerned about their activities being attributed to them.
According to Symantec, Graphican uses the Microsoft Graph API and OneDrive to establish its command-and-control (C&C) infrastructure. The backdoor connects to OneDrive via the Microsoft Graph API to obtain the encrypted C&C server address from a child folder inside the Person folder. This dynamic approach allows the threat actors to change the C&C server as needed.
In terms of capabilities, Graphican can create an interactive command line that can be controlled remotely, download files to the compromised host, and set up covert processes to gather data of interest. Interestingly, this technique was previously used by the Russian state-sponsored APT group Swallowtail in a 2022 campaign involving the Graphite malware. Symantec speculates that other APT groups and cybercriminals may adopt this technique in the future, following the lead of Swallowtail and Flea.
Flea has been active since at least 2004 and has employed various infection vectors over the years. Initially, the group relied on email as the primary means of initial infection, but there have been reports of Flea exploiting public-facing applications and utilizing VPNs to gain access to victim networks. Symantec’s analysis suggests that the primary goal of Flea is to gain persistent access to the networks of their targets for the purpose of intelligence gathering.
This is not the first time that Flea has made headlines. In January, the APT group compromised the networks of four Iranian government organizations, including the Ministry of Foreign Affairs, using a new version of the Turian malware. Additionally, Flea targeted the Syrian Ministry of Foreign Affairs in 2012 and the US Department of State in 2013.
In December 2021, Microsoft seized 42 domains used by Flea for their attacks targeting 29 countries. Despite this setback, Flea continues to actively develop new tools, as evidenced by their use of the new Graphican backdoor. The APT group’s persistence and adaptability make them a formidable threat in the cybersecurity landscape.
In conclusion, the activities of the Flea APT group and their use of the Graphican backdoor highlight the ongoing challenges faced by government entities and organizations in protecting their networks from sophisticated cyber threats. The global nature of these attacks emphasizes the need for international collaboration and proactive defense measures to mitigate the risk of APT groups like Flea.