Experienced China-based hacking group has new backdoor tool, researchers say

The Chinese cyber-espionage group known as Nickel or APT15 used a previously unseen backdoor to attack ministries of foreign affairs in Central and South America, researchers reported Wednesday.

In the campaign that ran from late 2022 into early 2023, hackers targeted a government finance department and an unnamed corporation as well as the foreign affairs ministries. according to cybersecurity firm Symantec, which investigated the incident.

Additionally, there was a single target located in a European country that had previously experienced an unrelated ransomware attack in July 2022, the researchers said.

Symantec said the China-based group used a large number of tools, including the recently developed Graphican backdoor, which is an upgrade from the previously used Ketrican backdoor.

Nickel has been spying on governments, diplomatic missions and embassies since at least 2004. Its selection of targets also points to geopolitical motives behind the campaigns, Symantec said.

In 2021, Microsoft seized 42 domains used by Nickel to target organizations in the U.S. and 28 other countries. The group was also linked to a long-running campaign targeting Uyghur-language websites and social media in China.

Nickel is believed to be “a large and well-resourced group,” and it seems that exposures and takedowns of its domains “have failed to have a significant impact” on its activity, Symantec said.

Graphican and more

The Graphican backdoor uses Microsoft Graph API and OneDrive services to connect with an encrypted command-and-control infrastructure address, allowing hackers to remotely control compromised systems, Symantec said

Once inside the victim’s computer, Graphican can create and download files, as well as launch a PowerShell script, allowing hackers to execute the malicious code discreetly without notifying the user.

Other tools used by Nickel in the recent campaign include the widely known Mimikatz exploit for extracting sensitive login credentials and authentication information. The list also includes:

• EWSTEW — a backdoor used to extract emails on infected Microsoft mail servers.
• Lazagne — a publicly available, open-source tool designed to retrieve passwords from multiple applications.
• Quarks PwDump — an open-source tool that can dump various types of Windows credentials: local accounts, domain accounts, and cached domain credentials.
• K8Tools — a publicly available toolset with a wide variety of capabilities, including privilege escalation, password cracking, a scanning tool, and vulnerability utilization.
• EHole — A publicly available tool that can help attackers identify vulnerable systems.

Nickel traditionally used email as an initial infection vector, but there have also been reports of it exploiting public-facing applications, as well as using VPNs, to gain initial access to victim networks, according to Symantec.

The use of a new backdoor by Nickel shows that this group, despite its long years of operation, continues to actively develop new tools.

The similarities between Graphican and the known Ketrican backdoor may indicate that the group is not very concerned about having activity attributed to it, researchers said.