ESET Research has identified the BackdoorDiplomacy team, a new APT (advanced persistent threat) team targeting mainly Foreign Ministries in the Middle East and Africa, and less frequently, telecommunications companies.
Malicious attacks typically exploit vulnerable applications running on web servers to install a backdoor that ESET named Turian. The BackdoorDiplomacy team can and does detect removable storage media, most likely USB drives, and copy their contents to the main drive's recycle bin disk.
Η research presented exclusively at the annual ESET World conference this week.
"The BackdoorDiplomacy team uses similar malicious tactics, techniques and procedures to those used by other teams in Asia. "Turian is probably the next step in the development of Quarian, the malware last used in 2013 to attack diplomatic targets in Syria and the United States," said Jean-Ian Boutin, ESET's Head of Threat Research, who worked with for this research with Adam Burgher, Senior Threat Intelligence Analyst at ESET.
Turian's network encryption protocol is almost identical to that of Whitebird, the malware used by the Asia-based Calypso team. Whitebird targeted diplomatic missions in Kazakhstan and Kyrgyzstan during the same period as BackdoorDiplomacy (2017-2020).
Victims of the BackdoorDiplomacy group have been identified in Foreign Ministries of many African countries, as well as in Europe, the Middle East and Asia. Additional targets include telecommunications companies in Africa and at least one charity in the Middle East. In each case, cybercriminals used similar tactics, techniques and procedures, but modified the tools used, even in the same geographic regions, possibly to make the monitoring of the group more difficult.
BackdoorDiplomacy is a team that operates on many platforms, targeting both Windows and Linux systems. The group attacks servers with ports exposed to the internet, most likely taking advantage of inadequately applied file upload security or vulnerabilities that have not been updated - in one case leading to a webshell called China Chopper and used by various groups. The cybercriminals tried to hide their traces and avoid detection.
A subset of victims were targeted with data-harvesting executables designed to search for removable media (most likely USB drives). The malware regularly scans for such drives and, upon detecting the insertion of removable media, attempts to copy all files on them to a archive με κωδικό πρόσβασης. Η BackdoorDiplomacy έχει τη δυνατότητα να κλέβει τις πληροφορίες συστήματος του θύματος, να λαμβάνει στιγμιότυπα οθόνης και να γράφει, να μετακινεί ή να διαγράφει αρχεία.
For more technical details about the BackdoorDiplomacy team, you can read the blogpost “BackdoorDiplomacy: Upgrading from Quarian to Turian”At WeLiveSecurity.
Victims by country and by industry
