BackdoorDiplomacy — threat against Ministries of Foreign Affairs

BackdoorDiplomacy is a group that has targeted Ministries of Foreign Affairs and telecommunications companies in Africa and the Middle East since 2017.

This criminal group, classified as an APT (Advanced Persistent Threat), favours vulnerable devices exposed on the Internet, typically web servers and network device management interfaces.

Once inside the system, the group employs open-source tools for scanning and lateral movement activities. Interactive access to machines is obtained through the use of the Turian backdoor or through remote administration tools (RAT).

ESET Analysis: https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

Similarities with Known Groups

The BackdoorDiplomacy group shares certain characteristics with known groups originating from Asia. In particular, the compromise mechanisms deployed are very similar to those of the groups Rehashed Rat, MirageFox (APT15), and CloudComputating.

The backdoor used (Turian) is very similar to a backdoor called Quarian, also used in attacks against the diplomatic sector.

Compromise Chain

BackdoorDiplomacy exploits vulnerabilities in devices publicly exposed on the Internet, such as Microsoft Exchange servers or F5 BIG-IP appliances. Reconnaissance and lateral movement operations follow, conducted with the aid of open-source tools:

• EarthWorm, a simple network tunnel with SOCKS v5 server and port forwarding functionality
• Mimikatz
• Nbtscan, a command-line scanner for NetBIOS
• NetCat, a network utility that reads and writes data across network connections
• PortQry, a tool to display the status of TCP and UDP ports on remote devices
• SMBTouch, used to determine whether a target is vulnerable to EternalBlue
• Various tools from the ShadowBrokers dump of NSA tools, including but not limited to:
  • DoublePulsar
  • EternalBlue
  • EternalRocks
  • EternalSynergy

The Turian backdoor is loaded into memory and executed. The first phase of execution consists of generating a temporary file tmp.bat, containing the following commands to establish persistence and delete the file once execution is complete:

ReG aDd HKEY_CURRENT_USER\sOFtWArE\MIcrOsOft\WindOwS\CurRentVeRsiOn\RuN /v Turian_filename> /t REG_SZ /d "\" /f

ReG aDd HKEY_LOCAL_MACHINE\sOFtWArE\MIcrOsOft\WindOwS\CurRentVeRsiOn\RuN /v  /t REG_SZ /d "\" /f

del %0

After checking for the presence of the Sharedaccess.ini file and the Command and Control server address within it, the backdoor connects to the C2 server address present in its configuration. Our Cyber Threat Intelligence operations have tracked this connectivity pattern across multiple victim environments in the targeted regions.

Indicators of Compromise

SHA-1