If web servers or network management interfaces are found which have weak points, such as software vulnerabilities or poor file-upload security, the APT will strike. In one case observed by ESET, an F5 bug — CVE-2020-5902 — was used to deploy a Linux backdoor, whereas, in another, BackdoorDiplomacy adopted Microsoft Exchange server bugs to deploy China Chopper, a webshell.
Revealed on Thursday by ESET researchers, the state-sponsored group, dubbed BackdoorDiplomacy, has been linked to successful attacks against Ministries of Foreign Affairs in numerous African countries, the Middle East, Europe, and Asia — alongside a smaller subset of telecommunications firms in Africa and at least one charity outfit in the Middle East. Backdoor Diplomacy is thought to have been in operation since at least 2017. The cross-platform group targets both Linux and Windows systems and seems to prefer to exploit internet-facing, vulnerable devices as an initial attack vector.
Once they have obtained entry, the threat actors will scan the device for the purposes of lateral movement; install a custom backdoor, and deploy a range of tools to conduct surveillance and data theft. The backdoor, dubbed Turian, is thought to be based on the Quarian backdoor — malware linked to attacks used against diplomatic targets in Syria and the US back in 2013.
The main implant is capable of harvesting and exfiltrating system data, taking screenshots, and also overwriting, moving/deleting, or stealing files. Among the tools used is network tunnel software EarthWorm; Mimikatz, NetCat, and software developed by the US National Security Agency (NSA) and dumped by ShadowBrokers, such as EternalBlue, DoublePulsar, and EternalRocks.
VMProtect was used in most cases to try and obfuscate the group’s activities. Diplomats may have to deal with sensitive information handed over through removable drives and storage. To widen the scope of its cyberespionage activities, BackdoorDiplomacy will scan for flash drives and will attempt to copy all files from them into a password-protected archive which is then whisked off to a command-and-control (C2) center via the backdoor. While BackdoorDiplomacy has been registered as an APT in its own right, there do appear to be other links, or at least, common threads, with other threat groups.
The News Highlights
- For African and Middle Eastern officials, this new hacking gang has a terrible surprise in store
- Check the latest update on Security news
For Latest News Follow us on Google News
- Show all
- Trending News
- Popular By week