Home SECURITY Chinese hackers attack foreign ministries across America

Chinese hackers attack foreign ministries across America

Chinese hackers attack foreign ministries across America


Chinese hackers attack foreign ministries across America

The new “Graphican” backdoor uses the Graph API and OneDrive to obtain the attackers’ C2 server address.

The Chinese government-backed hacker group, which researchers track down under the code name “Flea”, carried out a series of cyberattacks on foreign ministries in the Americas from late 2022 to early 2023. About it informs company Symantecspecializing in cybersecurity.

According to experts, the hackers used the new “Graphican” malware, which allowed them to remotely access infected computers. In addition to the ministries of foreign affairs, other government and private organizations from different countries were also among the victims.

“Flea has a large arsenal of tools for this campaign,” Symantec said in a report. “In addition to the new Graphican, the attackers used various legitimate programs, as well as specific tools that had previously contacted Flea.”

Flea, also known as APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is a group of advanced cybercriminals that has been attacking governments, embassies, and diplomats since 2004.

This January, the group was found to be behind a series of attacks on Iranian government structures from mid-July to late December 2022. And just last month it became known that the Kenyan government has also come under a three-year intelligence operation Flea, aimed at key ministries and government agencies in the country.

In addition, Flea has previously been implicated in several campaigns to spy on Android users SilkBean and BadBazaar that targeted Uyghurs in China and abroad in July 2020 and November 2022, respectively.

The Graphican backdoor used by the hackers in the latest campaign is an evolution of Flea’s already known software called “Ketrican”. New malware uses Microsoft Graph API and OneDrive to get the address C2 serverswhich is how it got its name.

It is worth noting that the abuse of the Microsoft Graph API and OneDrive has previously been observed in the case of both Russian and Chinese hackers such as APT28 (also known as Sofacy or Swallowtail) and Bad Magic (also known as Red Stinger).

Graphican can receive arbitrary commands from the C2 server, including creating an interactive command line, uploading files to the host, and setting up hidden processes to collect data of interest.

One of the other notable tools used in the attack was an updated version of the EWSTEW malicious code that allows you to extract sent and received emails from compromised servers. Exchange.

“The use of the new malware shows that the Flea group, despite its long history of activity, continues to actively develop new tools,” the Symantec researchers concluded.


Source link



Please enter your comment!
Please enter your name here