DUBAI - UAE - ESET Research has uncovered a new APT group BackdoorDiplomacy that primarily targets Ministries of Foreign Affairs in the Middle East and Africa, and less frequently, telecommunication companies. Their attacks usually start by exploiting vulnerable internet-exposed applications on webservers in order to install a custom backdoor that ESET is calling Turian. BackdoorDiplomacy can detect removable media, most likely USB flash drives, and copy their contents to the main drive’s recycle bin. The research was exclusively previewed at the annual ESET World conference this week.
“BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the United States,” says Jean-Ian Boutin, Head of Threat Research at ESET, who worked on this investigation along with Adam Burgher, Senior Threat Intelligence Analyst at ESET. Turian’s network encryption protocol is nearly identical to the network encryption protocol used by Whitebird, a backdoor operated by Calypso, another Asia-based group. Whitebird was deployed within diplomatic organizations in Kazakhstan and Kyrgyzstan during the same timeframe as BackdoorDiplomacy (2017-2020).
Victims of BackdoorDiplomacy have been discovered in the Ministries of Foreign Affairs of several African countries, as well as in Europe, the Middle East, and Asia. Additional targets include telecommunications companies in Africa, and at least one Middle Eastern charity. In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult.
BackdoorDiplomacy is also a cross-platform group targeting both Windows and Linux systems. The group targets servers with internet-exposed ports, likely exploiting poorly enforced file-upload security or unpatched vulnerabilities – in one instance leading to a webshell, called China Chopper, used by various groups. The operators attempted to disguise their backdoor droppers and evade detection.
A subset of victims was targeted with data collection executables that were designed to look for removable media (most likely USB flash drives). The implant routinely scans for such drives and, upon detecting insertion of removable media, attempts to copy all the files on them to a password-protected archive. BackdoorDiplomacy is capable of stealing the system information of the victim, taking screenshots, and writing, moving, or deleting files.
For more technical details about BackdoorDiplomacy, read the blogpost “BackdoorDiplomacy: Upgrading from Quarian to Turian” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
© Press Release 2021
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
