New APT BackdoorDiplomacy team attacks diplomats

ESET Research has identified the BackdoorDiplomacy group, a new APT group ( persistent threat) that mainly targets Ministries of Foreign Affairs in the Middle East and Africa, and less often, telecommunications companies.

Malicious attacks typically exploit vulnerable applications running on web servers in order to install a backdoor that ESET has named Turian. The BackdoorDiplomacy team can and does detect removable storage media, most likely USB drives, and copy their contents to the main drive recycle bin.

The research was presented exclusively at the annual ESET World conference this week.
"The BackdoorDiplomacy team uses similar malicious tactics, techniques and procedures to those used by other teams in Asia. "Turian is probably the next step in the development of Quarian, the malware last used in 2013 to attack diplomatic targets in Syria and the United States," said Jean-Ian Boutin, ESET's Head of Threat Research, who worked with for this research with Adam Burgher, Senior Threat Intelligence Analyst at ESET.

Turian's network encryption protocol is almost identical to that of Whitebird, the malware used by the Asia-based Calypso team. Whitebird targeted diplomatic missions in Kazakhstan and Kyrgyzstan during the same period as BackdoorDiplomacy (2017-2020).

Victims of the BackdoorDiplomacy group have been identified in Foreign Ministries of many African countries, as well as in Europe, the Middle East and Asia. Additional targets include telecommunications companies in Africa and at least one charity στη Μέση Ανατολή. Σε κάθε περίπτωση, οι κυβερνοεγκληματίες χρησιμοποίησαν παρόμοιες τακτικές, τεχνικές και διαδικασίες, αλλά τροποποίησαν τα that were used, even in the same geographical areas, possibly to make tracking the group more difficult.

BackdoorDiplomacy is a cross-platform team, targeting both Windows and Linux systems. The group attacks servers with ports exposed to the internet, likely exploiting poorly implemented upload security or vulnerabilities that have not been patched – in one case it leads to a webshell, called China Chopper, used by various groups. Cybercriminals tried to cover their tracks and avoid detection.

Ένα υποσύνολο των θυμάτων έγινε στόχος με εκτελέσιμα συλλογής δεδομένων, που είχαν σχεδιαστεί για να αναζητήσουν αποσπώμενα μέσα (πιθανότατα μονάδες USB). Το κακόβουλο λογισμικό σαρώνει τακτικά για τέτοιες μονάδες δίσκου και, κατά την ανίχνευση της εισαγωγής αποσπώμενων μέσων, επιχειρεί να αντιγράψει όλα τα αρχεία που υπάρχουν σε αυτά σε ένα με κωδικό πρόσβασης. Η BackdoorDiplomacy έχει τη δυνατότητα να κλέβει τις victim's system, take screenshots and write, move or delete files.

For more technical details about the BackdoorDiplomacy team, you can read the blogpost “BackdoorDiplomacy: Upgrading from Quarian to Turian”At WeLiveSecurity.

Victims by country and by industry

backdoor diplomacy

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.
BackdoorDiplomacy, ESET

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).