Related Families: Ketrican, BS2005
Verticals Targeted: Government, Financial
Executive Summary
Vixen Panda was recently observed using the Graphican backdoor to target government, financial, and other entities in the Americas and Europe. It is based on Ketrican and is one of many tools in Vixen Panda’s arsenal.
Key Takeaways
- Vixen Panda was recently observed using the Graphican backdoor to target government, financial, and other entities in the Americas and Europe.
- Graphican is an updated version of Vixen Panda’s Ketrican backdoor.
- It connects to OneDrive via the Microsoft Graph API to obtain an encrypted C2 address.
- Graphican’s commands allow it to create an interactive command line controlled from the C2.
What is Graphican?
Vixen Panda was recently observed using the Graphican backdoor to target government, financial, and other entities in the Americas and Europe. Symantec reported on this activity, which occurred from late 2022 to early 2023.
Graphican is an updated version of Vixen Panda’s Ketrican backdoor, which itself was based on BS2005. Graphican has similar functionality to Ketrican, with the added use of the Microsoft Graph API and OneDrive to obtain its C2 infrastructure. According to Symantec, the analyzed Graphican samples did not have a hardcoded C2 but connected to OneDrive via the Microsoft Graph API to obtain the encrypted C2 address from a folder.
Once installed, Graphican is capable of editing registry keys to disable the Internet Explorer 10 first run wizard and welcome page, checking if iexplore.exe is running, creating a global IWebBrowser2 COM object to access the internet, authenticating to the Microsoft Graph API, and retrieving the encrypted C2 address. Next, it generates a bot ID based on victim system information, registers the bot to the C2, and polls the C2 for commands to execute.
Graphican’s commands allow it to create an interactive command line controlled from the C2. It also allows the malware to create and download files to and from the victim machine, create a new process with a hidden window, and create a new PowerShell process with a hidden window. It saves the results to a temporary file in the temp folder, which is uploaded to the C2.
Additional Tools
Vixen Panda used several other tools in this campaign, including the following:
EWSTEW
EWSTEW is another Vixen Panda backdoor that can extract emails from infected Microsoft Exchange servers.
Mimikatz, Pypykatz, Safetykatz
Mimikatz, Pypykatz, and Safetykatz are credential dumping tools that allow the threat actor to exploit Windows single sign-on functionality to dump secrets from memory.
Lazagne
Lazagne is an open-source credential recovery application, sometimes abused by threat actors.
Quarks PwDump
Quarks PwDump is an open-source tool that dumps Windows credentials, including those associated with local and domain accounts and cached domain credentials.
SharpSecDump
SharpSecDump is a .Net port of Impacket's secretsdump.py, which provides remote SAM and LSA Secrets dumping functionality.
K8Tools
K8Tools is a publicly available toolset that provides several capabilities for threat actors, including privilege escalation, password cracking, scanning, and vulnerability utilization.
EHole
EHole is a publicly available tool used to identify vulnerable systems.
Web Shells
In some cases, Vixen Panda used AntSword, Behinder, China Chopper, and Godzilla web shells to obtain backdoor access to victim machines.
CVE-2020-1472
In this campaign, Vixen Panda exploited CVE-2020-1472, which is a privilege elevation vulnerability that uses Netlogon Remote Protocol to establish a vulnerable Netlogon secure channel connection.
Who is Vixen Panda?
Vixen Panda, also known as APT15, Flea, BackdoorDiplomacy, Ke3Chang, Playful Dragon, Mirage, and Royal APT, is a China nexus threat actor group active since at least 2004. The group is known to target energy, financial, government, and military verticals and NGOs. Their targets have included entities in Central and South America, the Caribbean, Europe, and North America.
IOCs
PolySwarm has multiple samples of Graphican.
4b78b1a3c162023f0c14498541cb6ae143fb01d8b50d6aa13ac302a84553e2d5
A78cc475c1875186dcd1908b55c2eeaf1bcd59dedaff920f262f12a3a9e9bfa8
02e8ea9a58c13f216bdae478f9f007e20b45217742d0fbe47f66173f1b195ef5
You can use the following CLI command to search for all Graphican samples in our portal:
$ polyswarm link list -f Graphican
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports