A recently-discovered advanced persistent threat (APT) group is targeting diplomats across Africa and the Middle East.
- The best browsers for privacy: Browse secure on the big bad internet
- Cyber security 101: Protect your privacy from hackers, spies, and the government
- The best antivirus software and apps
- The best VPNs for business and home use
- The best security keys for two-factor authentication
- Ransomware: Do these three things to help protect your network from attacks (ZDNet YouTube)
Revealed on Thursday by ESET researchers, the state-sponsored group, dubbed BackdoorDiplomacy, has been linked to successful attacks against Ministries of Foreign Affairs in numerous African countries, the Middle East, Europe, and Asia — alongside a smaller subset of telecommunications firms in Africa and at least one charity outfit in the Middle East.
BackdoorDiplomacy is thought to have been in operation since at least 2017. The cross-platform group targets both Linux and Windows systems and seems to prefer to exploit internet-facing, vulnerable devices as an initial attack vector.
If web servers or network management interfaces are found which have weak points, such as software vulnerabilities or poor file-upload security, the APT will strike. In one case observed by ESET, an F5 bug — CVE-2020-5902 — was used to deploy a Linux backdoor, whereas, in another, BackdoorDiplomacy adopted Microsoft Exchange server bugs to deploy China Chopper, a webshell.
Once they have obtained entry, the threat actors will scan the device for the purposes of lateral movement; install a custom backdoor, and deploy a range of tools to conduct surveillance and data theft.
The backdoor, dubbed Turian, is thought to be based on the Quarian backdoor — malware linked to attacks used against diplomatic targets in Syria and the US back in 2013.
The main implant is capable of harvesting and exfiltrating system data, taking screenshots, and also overwriting, moving/deleting, or stealing files.
Among the tools used is network tunnel software EarthWorm; Mimikatz, NetCat, and software developed by the US National Security Agency (NSA) and dumped by ShadowBrokers, such as EternalBlue, DoublePulsar, and EternalRocks.
VMProtect was used in most cases to try and obfuscate the group’s activities.
Diplomats may have to deal with sensitive information handed over through removable drives and storage. To widen the scope of its cyberespionage activities, BackdoorDiplomacy will scan for flash drives and will attempt to copy all files from them into a password-protected archive which is then whisked off to a command-and-control (C2) center via the backdoor.
While BackdoorDiplomacy has been registered as an APT in its own right, there do appear to be other links, or at least, common threads, with other threat groups.
The network encryption protocol used by the APT is almost identical to that used by the Calypso group’s Whitebird backdoor, and this malware was deployed against diplomatic targets in Kazakhstan and Kyrgyzstan during 2017 – 2020. In addition, ESET believes there are commonalities with CloudComputating/Platinum , which has targeted diplomatic, government, and military organizations across Asia in previous years.
In other research this month, Check Point Research discovered a novel backdoor developed by Chinese threat actors over the course of three years. The malware, dubbed VictoryDll_x86.dll, was used to compromise a network belonging to a Southeast Asian government’s Ministry of Foreign Affairs.
Previous and related coverage
- Transparent Tribe APT targets government, military by infecting USB devices
- New APT hacking group leverages ‘KilllSomeOne’ DLL side-loading
- Promethium APT attacks surge, new Trojanized installers uncovered
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
- Lavrov Doubts US Middle East Plan’s Capacity to Improve Israeli-Palestinian Relations
- Map That Changed Middle East: Sykes-Picot Deal and Century of Resentment
- China Mobile teams up to build subsea cable for Africa, Middle East
- How NATO is Sowing Seeds of Perpetual Chaos in Middle East, North Africa
- Israeli Websites Hit in Massive Hack Attack by Mysterious ‘Hackers of Savior’ Group - Videos
- 1,000 Israeli websites are hacked to show images of Tel Aviv in flames and a message reading: 'The countdown to destruction has begun'
- African free trade deal launch unlikely this year, AfCFTA Secretary-General says
- Friday prayers resume in Gaza despite new virus fears
- The US cleared the way for a new arms sale to the UAE, despite evidence it violated the last one
- Syria eases coronavirus curbs, new cases jump after expats return
- China uses new and renovated buildings in Africa for spying: report
- Turla hacker group steals antivirus logs to see if its malware was detected
This new hacking group has a nasty surprise for African, Middle East diplomats have 740 words, post on www.zdnet.com at June 10, 2021. This is cached page on TechNews. If you want remove this page, please contact us.