{"id":2677,"date":"2021-06-21T13:13:49","date_gmt":"2021-06-21T11:13:49","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2677"},"modified":"2026-06-08T23:06:52","modified_gmt":"2026-06-08T23:06:52","slug":"backdoordiplomacy-foreign-affairs-threat","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/backdoordiplomacy-foreign-affairs-threat\/","title":{"rendered":"BackdoorDiplomacy \u2014 threat against Ministries of Foreign Affairs"},"content":{"rendered":"\n<p style=\"text-align: justify\"><strong>BackdoorDiplomacy<\/strong> is a group that has targeted <strong>Ministries of Foreign Affairs<\/strong> and <strong>telecommunications companies<\/strong> in <strong>Africa<\/strong> and the <strong>Middle East<\/strong> since 2017.<\/p>\n<p style=\"text-align: justify\">This criminal group, classified as an APT (Advanced Persistent Threat), favours vulnerable devices exposed on the Internet, typically web servers and network device management interfaces.<\/p>\n<p style=\"text-align: justify\">Once inside the system, the group employs open-source tools for scanning and lateral movement activities. Interactive access to machines is obtained through the use of the <strong>Turian backdoor<\/strong> or through remote administration tools (<strong>RAT<\/strong>).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">ESET Analysis: <a href=\"https:\/\/www.welivesecurity.com\/2021\/06\/10\/backdoordiplomacy-upgrading-quarian-turian\/\" class=\"ek-link\">https:\/\/www.welivesecurity.com\/2021\/06\/10\/backdoordiplomacy-upgrading-quarian-turian\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Similarities with Known Groups<\/h2>\n\n\n\n<p style=\"text-align: justify\">The <strong>BackdoorDiplomacy<\/strong> group shares certain characteristics with known groups originating from Asia. In particular, the compromise mechanisms deployed are very similar to those of the groups <strong>Rehashed Rat<\/strong>, <strong>MirageFox<\/strong> (<strong>APT15<\/strong>), and <strong>CloudComputating<\/strong>.<\/p>\n\n\n\n<p style=\"text-align: justify\">The backdoor used (Turian) is very similar to a backdoor called Quarian, also used in attacks against the diplomatic sector.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Compromise Chain<\/h2>\n\n\n\n<p style=\"text-align: justify\"><strong>BackdoorDiplomacy<\/strong> exploits vulnerabilities in devices publicly exposed on the Internet, such as <strong>Microsoft Exchange<\/strong> servers or <strong>F5 BIG-IP<\/strong> appliances. Reconnaissance and lateral movement operations follow, conducted with the aid of open-source tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>EarthWorm<\/strong>, a simple network tunnel with SOCKS v5 server and port forwarding functionality<\/li><li><strong>Mimikatz<\/strong><\/li><li><strong>Nbtscan<\/strong>, a command-line scanner for NetBIOS<\/li><li><strong>NetCat<\/strong>, a network utility that reads and writes data across network connections<\/li><li><strong>PortQry<\/strong>, a tool to display the status of TCP and UDP ports on remote devices<\/li><li><strong>SMBTouch<\/strong>, used to determine whether a target is vulnerable to <strong>EternalBlue<\/strong><\/li><li>Various tools from the ShadowBrokers dump of NSA tools, including but not limited to:<ul><li>DoublePulsar<\/li><\/ul><ul><li>EternalBlue<\/li><li>EternalRocks<\/li><li>EternalSynergy<\/li><\/ul><\/li><\/ul>\n\n\n\n<p style=\"text-align: justify\">The Turian backdoor is loaded into memory and executed. The first phase of execution consists of generating a temporary file <strong>tmp.bat<\/strong>, containing the following commands to establish persistence and delete the file once execution is complete:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ReG aDd HKEY_CURRENT_USER\\sOFtWArE\\MIcrOsOft\\WindOwS\\CurRentVeRsiOn\\RuN \/v Turian_filename&gt; \/t REG_SZ \/d \"\\\" \/f\n\nReG aDd HKEY_LOCAL_MACHINE\\sOFtWArE\\MIcrOsOft\\WindOwS\\CurRentVeRsiOn\\RuN \/v  \/t REG_SZ \/d \"\\\" \/f\n\ndel %0<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">After checking for the presence of the <strong>Sharedaccess.ini<\/strong> file and the Command and Control server address within it, the backdoor connects to the C2 server address present in its configuration. Our <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> operations have tracked this connectivity pattern across multiple victim environments in the targeted regions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">SHA-1<\/h3>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"wp-block-paragraph\">3C0DB3A5194E1568E8E2164149F30763B7F3043D<br>  32EF3F67E06C43C18E34FB56E6E62A6534D1D694<br>  8C4D2ED23958919FE10334CCFBE8D78CD0D991A8<br>  C0A3F78CF7F0B592EF813B15FC0F1D28D94C9604<br>  CDD583BB6333644472733617B6DCEE2681238A11<br>  FA6C20F00F3C57643F312E84CC7E46A0C7BABE75<br>  5F87FBFE30CA5D6347F4462D02685B6E1E90E464<br>  B6936BD6F36A48DD1460EEB4AB8473C7626142AC<br>  B16393DFFB130304AD627E6872403C67DD4C0AF3<br>  9DBBEBEBBA20B1014830B9DE4EC9331E66A159DF<br>  564F1C32F2A2501C3C7B51A13A08969CDC3B0390<br>  6E1BB476EE964FFF26A86E4966D7B82E7BACBF47<br>  <\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<p class=\"wp-block-paragraph\">FBB0A4F4C90B513C4E51F0D0903C525360FAF3B7<br>\n  2183AE45ADEF97500A26DBBF69D910B82BFE721A<br>\n  849B970652678748CEBF3C4D90F435AE1680601F<br>\n  C176F36A7FC273C9C98EA74A34B8BAB0F490E19E<br>\n  626EFB29B0C58461D831858825765C05E1098786<br>\n  40E73BF21E31EE99B910809B3B4715AF017DB061<br>\n  255F54DE241A3D12DEBAD2DF47BAC5601895E458<br>\n  A99CF07FBA62A63A44C6D5EF6B780411CF1B1073<br>\n  934B3934FDB4CD55DC4EA1577F9A394E9D74D660<br>\n  EF4DF176916CE5882F88059011072755E1ECC482<\/p>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-8f761849 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">IP Addresses<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">199.247.9[.]67    <br>\n 43.251.105[.]218    <br>\n 43.251.105[.]222<br>\n 162.209.167[.]154<br>\n 43.225.126[.]179    <br>\n 23.247.47[.]252    <br>\n 43.251.105[.]222    <br>\n 162.209.167[.]189<br>\n 23.83.224[.]178    <br>\n 23.106.140[.]207<br>\n 43.251.105[.]218<br>\n 45.76.120[.]84    <br>\n 78.141.243[.]45<br>\n 78.141.196[.]159    <br>\n 45.77.215[.]53    <br>\n 207.148.8[.]82    <br>\n 43.251.105[.]139    <br>\n 43.251.105[.]139    <br>\n 45.77.215[.]53    <br>\n 152.32.180[.]34    <br>\n 43.251.105[.]218    <br>\n 23.106.140[.]207    <br>\n 23.228.203[.]130<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\">Domains<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">systeminfo.myftp[.]name<br>\n systeminfo.oicp[.]net<br>\n dynsystem.imbbs[.]in<br>\n officeupdate.ns01[.]us<br>\n officeupdates.cleansite[.]us<br>\n web.vpnkerio[.]com<br>\n www.freedns02.dns2[.]us<br>\n pmdskm[.]top<br>\n szsz.pmdskm[.]top<br>\n Infoafrica[.]top<br>\n icta.worldmessg[.]com<br>\n winupdate.ns02[.]us<br>\n winupdate.ns02[.]us<br>\n www.intelupdate.dns1[.]us<br>\n www.intelupdate.dns1[.]us<br>\n www.intelupdate.dns1[.]us<br>\n nsupdate.dns2[.]us<br>\n bill.microsoftbuys[.]com<br>\n systeminfo.cleansite[.]info<br>\n updateip.onmypc[.]net<br>\n buffetfactory.oicp[.]io<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>BackdoorDiplomacy APT activity against diplomatic missions and telecom operators: tooling, infrastructure overlap with known Chinese clusters and victim profiles.<\/p>\n","protected":false},"author":1,"featured_media":2693,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[32,45,46,3286,3285,3065,147,212,350,364],"class_list":["post-2677","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-apt","tag-backdoor","tag-backdoordiplomacy","tag-china-aligned","tag-diplomatic-targeting","tag-espionage","tag-foreign-affairs","tag-malware","tag-threat","tag-turian"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2677"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2677\/revisions"}],"predecessor-version":[{"id":9901,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2677\/revisions\/9901"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}