Related Families: Ketrican, BS2005
Verticals Targeted: Government, Financial
Vixen Panda was recently observed using the Graphican backdoor to target government, financial, and other entities in the Americas and Europe. It is based on Ketrican and is one of many tools in Vixen Panda’s arsenal.
- Vixen Panda was recently observed using the Graphican backdoor to target government, financial, and other entities in the Americas and Europe.
- Graphican is an updated version of Vixen Panda’s Ketrican backdoor.
- It connects to OneDrive via the Microsoft Graph API to obtain an encrypted C2 address.
- Graphican’s commands allow it to create an interactive command line controlled from the C2.
What is Graphican?
Vixen Panda was recently observed using the Graphican backdoor to target government, financial, and other entities in the Americas and Europe. Symantec reported on this activity, which occurred from late 2022 to early 2023.
Graphican is an updated version of Vixen Panda’s Ketrican backdoor, which itself was based on BS2005. Graphican has similar functionality to Ketrican, with the added use of the Microsoft Graph API and OneDrive to obtain its C2 infrastructure. According to Symantec, the analyzed Graphican samples did not have a hardcoded C2 but connected to OneDrive via the Microsoft Graph API to obtain the encrypted C2 address from a folder.
Once installed, Graphican is capable of editing registry keys to disable the Internet Explorer 10 first run wizard and welcome page, checking if iexplore.exe is running, creating a global IWebBrowser2 COM object to access the internet, authenticating to the Microsoft Graph API, and retrieving the encrypted C2 address. Next, it generates a bot ID based on victim system information, registers the bot to the C2, and polls the C2 for commands to execute.
Graphican’s commands allow it to create an interactive command line controlled from the C2. It also allows the malware to create and download files to and from the victim machine, create a new process with a hidden window, and create a new PowerShell process with a hidden window. It saves the results to a temporary file in the temp folder, which is uploaded to the C2.
Vixen Panda used several other tools in this campaign, including the following:
EWSTEW is another Vixen Panda backdoor that can extract emails from infected Microsoft Exchange servers.
Mimikatz, Pypykatz, Safetykatz
Mimikatz, Pypykatz, and Safetykatz are credential dumping tools that allow the threat actor to exploit Windows single sign-on functionality to dump secrets from memory.
Lazagne is an open-source credential recovery application, sometimes abused by threat actors.
Quarks PwDump is an open-source tool that dumps Windows credentials, including those associated with local and domain accounts and cached domain credentials.
SharpSecDump is a .Net port of Impacket's secretsdump.py, which provides remote SAM and LSA Secrets dumping functionality.
K8Tools is a publicly available toolset that provides several capabilities for threat actors, including privilege escalation, password cracking, scanning, and vulnerability utilization.
EHole is a publicly available tool used to identify vulnerable systems.
In some cases, Vixen Panda used AntSword, Behinder, China Chopper, and Godzilla web shells to obtain backdoor access to victim machines.
In this campaign, Vixen Panda exploited CVE-2020-1472, which is a privilege elevation vulnerability that uses Netlogon Remote Protocol to establish a vulnerable Netlogon secure channel connection.
Who is Vixen Panda?
Vixen Panda, also known as APT15, Flea, BackdoorDiplomacy, Ke3Chang, Playful Dragon, Mirage, and Royal APT, is a China nexus threat actor group active since at least 2004. The group is known to target energy, financial, government, and military verticals and NGOs. Their targets have included entities in Central and South America, the Caribbean, Europe, and North America.
PolySwarm has multiple samples of Graphican.
You can use the following CLI command to search for all Graphican samples in our portal:
$ polyswarm link list -f Graphican