Chinese APT 'Flea' Targets US Institutions with Backdoor Malware

Researchers have discovered that a Chinese state-sponsored actor called Flea conducted a targeted campaign against foreign affairs ministries in the Americas between late 2022 and early 2023. According to the researchers, the cyber attacks involved the use of a new backdoor named Graphican. In addition to the ministries, the campaign targeted a government finance department, a corporation operating in the Americas, and an unspecified victim in Europe.

The report from the researchers highlighted the extensive arsenal of tools employed by Flea, describing the threat actor as well-funded and formidable. Along with the Graphican backdoor, the attackers utilized various "living-off-the-land" tools and tools previously associated with Flea.

Flea, also known as APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced persistent threat group that has been targeting governments, diplomatic missions, and embassies since at least 2004.

Earlier this year, the group was attributed to a series of attacks on Iranian government entities between July and December 2022. Last month, it was revealed that the Kenyan government had been the focus of a three-year intelligence-gathering operation targeting key ministries and state institutions.

Flea has also been linked to multiple Android surveillance campaigns, including SilkBean and BadBazaar, which targeted Uyghurs in China and abroad.

Graphican Malware is an Update to Existing Ketrican

Graphican, the new backdoor used by Flea, is considered an evolution of a previous backdoor called Ketrican. It combines features from Ketrican and another implant called Okrum to create a new malware named Ketrum. Graphican stands out from Ketrican by utilizing the Microsoft Graph API and OneDrive to retrieve the details of the command-and-control (C&C) server.

Unlike Ketrican, Graphican does not have a hardcoded C&C server address. Instead, it connects to OneDrive via the Microsoft Graph API to obtain the encrypted C&C server address from a specific folder. It should be noted that the abuse of Microsoft Graph API and OneDrive has been observed in the past with Russian and Chinese threat actors such as APT28 and Bad Magic.

Graphican has the capability to communicate with the C&C server, receive commands, create an interactive command line, download files, and establish covert processes for data extraction.

Another notable tool used in the campaign is an updated version of the EWSTEW backdoor, which allows the extraction of sent and received emails from compromised Microsoft Exchange servers.

By Zaib
June 21, 2023
Computer Security
English
June 21, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

Unknown Chinese APT Targets Russia with the PortDoor Malware

Advanced Persistent Threat (APT) actors continue with their attacks against high-profile targets. This time, the news headlines mention a new piece of malware identified as PortDoor. It is believed to be used and... Read more

May 3, 2021
Malware

WhiskerSpy Backdoor Linked to APT

Researchers have identified a new backdoor that has been linked to the advanced persistent threat group Earth Kitsune, a group they have previously studied. Earth Kitsune has been distributing self-developed backdoors... Read more

February 20, 2023
Malware

Saitama Backdoor

Saitama backdoor is the name of a newly discovered piece of malware, coded and compiled in .Net. As the name suggests, Saitama operates like a backdoor. The malware is distributed as an executable file, named... Read more

May 20, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.