Table of Contents
June 16, 2021
|8m
How BackdoorDiplomacy APT Group Uses Turian Backdoor To Carryout Cyber Espionage Campaign?
Cybersecurity researchers disclosed a new Turian Backdoor used to carry out a cyber espionage campaign by BackdoorDiplomacy APT Group on Thursday that has been behind a sequence of targeted attacks against telecommunication companies and diplomatic entities in the Middle East and Africa since 2017. The threat actor is known as “Backdoor Diplomacy” due to the use of Turian Backdoor and its priority for diplomatic targets.
The Backdoor Diplomacy APT Group involves targeting the vulnerabilities in internet-exposed devices, such as web servers, for cybercriminal activities. These include lateral movement across a network to deploy the custom implant known as Turian. It is capable of exfiltrating sensitive information stored in removable media.
What Is Cyber Espionage Campaign?
The Cyber Espionage Campaign targets the victim with the help of a previously undocumented kind of malware that brings a secret backdoor onto the compromised Windows systems. Cyber spying or cyber espionage is a kind of cyber attack in which an unauthorized user tries to access classified or sensitive data and intellectual property for competitive advantage, economic gain, or political reasons.
In some scenarios, a data breach is intended to cause reputational damage to the target by exposing sensitive data or questionable business practices. The most common victims of cyber espionage campaigns include government agencies, large corporations, academic institutions, or organizations that possess technical data and valuable IP to create a competitive advantage over other organizations.
What Is A Backdoor Malware?
A backdoor attack is a kind of malware that gives hackers unauthorized access to a website. As a result, hackers can remotely access an application, such as file servers and databases. The backdoor provides a safe path for perpetrators the ability to issue system commands and update malware.
Hackers install malware through unsecured entry points, such as input fields or outdated plug-ins. Once they enter a website or an application, they can access all your company’s data, including users’ personally identifiable information.
Web Server backdoor can be used for several malicious activities, including
Launching of distributed denial of service (DDoS) attacks
Advanced persistent threat
Infecting website visitors
Server hijacking
Website defacing
About BackdoorDiplomacy APT Group
The Backdoor diplomacy APT Group is seen targeting the regional diplomatic organizations in Asia and Africa, and rarely telecommunication companies. Researchers observed that the campaign was conducted on public-facing servers within the target organizations spying on network traffic and sending commands to compromised hosts. The Backdoor diplomacy APT group uses the Moriya rootkit to deploy the passive backdoor that allows cybercriminals to analyze incoming traffic to the infected system, Kaspersky says.
The APT group is linked with several other Asian groups. Most common among them is the link between the Quarian backdoor and the Turian backdoor. It is also connected with a group referred to as “CloudComputating” analyzed by Sophos.
About Turian Backdoor
Kaspersky reported that both Quarian and Turian backdoors had targeted the same set of victims. On top of that, there are certain similarities seen between the two malware. This concludes cybersecurity researchers that Turin is derived from the Quarian.
Mutex used in Turin to verify that only one instance is running is named differently than the Mutex seen in Quarian. Here you see a few Mutex captured during the analysis of Turin.
winsupdatetw
clientsix
client
updatethres
Others: dynamically generated based on the system’s hostname, limited to eight hex characters, lower-case, and prefaced with a leading zero.
Here are some of the capabilities discovered:
Get system information, such as OS version, local hostname, memory usage, system adapter info, current username, internal IP, domain data, and state of the directory service installation.
Spawn the new thread, accept the command and wait for the three-digit commands.
Take a screenshot.
Write file
List directory
Move file
Delete file
Get startup info
Victims Of BackdoorDiplomacy APT Group
Turin is seen targeting the same victims that Quarian has targeted. The trend of targeting Ministries of Foreign Affairs continues with Turian as well. If we come to this cyber-espionage campaign, Ministries of Foreign Affairs of several African countries, as well as in Europe, the Middle East, and Asia are targeted. Additionally, the campaign has been carried out on telecommunication companies in Africa and Middle Eastern charities. Tactics, techniques, and procedures (TTPs) remain the same in each case, but the tools used are different.
How BackdoorDiplomacy APT Group Carry Out Cyber Espionage Campaign?
Fig #1: How BackdoorDiplomacy APT Group Carryout Cyber Espionage Campaign
Let’s see how BackdoorDiplomacy APT Group Carryout Cyber Espionage Campaign?
BackdoorDiplomacy APT group compromise the internet exposed devices in two ways:
Turian Backdoor, which is derived from Quarian.
Open-source remote access tools
In several instances, it has been seen that the attackers have targeted removable media for data collection or exfiltration. Both Windows and Linux platforms are targeted using the backdoor.
BackdoorDiplomacy APT Exploit Chain:
Initially, the BackdoorDiplomacy APT group targets the victim via ports exposed to the internet, likely exploiting unpatched vulnerabilities or poorly enforced file-upload security. In one instance, attackers exploited an unpatched F5 BIP-IP vulnerability (CVE-2020-5902) to drop a backdoor on a Linux system. In the second example, they exploited a Microsoft Exchange server and installed China Chopper using a PowerShell dropper.
After the initial compromise, the BackdoorDiplomacy APT group launch Recon attacks to explore the network for additional targets, which helps in lateral movement. In many instances, the attacker group has used open-source reconnaissance and red-team tools to perform reconnaissance.
Next, the group will implant the dropper on the identified target machines, which later installs the Turin Backdoor. In many instances, attackers have disguise their backdoor droppers to cover from detection and implant them in these locations. In one example, the group has used a web shell to drop ScnCfg.exe, a program that writes Turin code to the memory and executes it.
C:\Program Files\hp
C:\ProgramData\ESET
C:\ProgramData\Mozilla
After initial execution, the Turian backdoor establishes persistence by creating the file tmp.bat in the present working directory then crests a couple of registry keys. Thereafter Turin will try to communicate with C2 servers (IPs and domains are stored in Sharedaccess.ini) and shares the data to the servers over an encrypted channel.
Recommended Countermeasures To Remove Turian Backdoor?
Turian Backdoor commands:
| ID | Description |
|---|---|
| 0x01 | Get system information including OS version, memory usage, local hostname, system adapter info, internal IP, current username, state of the directory service installation and domain data. |
| 0x02 | Interactive shell – copy %WINDIR%\system32\cmd.exe to %WINDIR%\alg.exe and spawn alg.exe in a new thread. |
| 0x03 | Spawn a new thread, acknowledge the command and wait for one of the three-digit commands below. |
| 0x04 | Take screenshot. |
| 0x103/203 | Write file. |
| 0x403 | List directory. |
| 0x503 | Move file. |
| 0x603 | Delete file. |
| 0x703 | Get startup info. |
Table #1: Turian Backdoor commands:
IOCs: To Detect Turian Backdoor:
File Samples:
| SHA-1 | Filename | ESET Detection Name | Description |
|---|---|---|---|
| 3C0DB3A5194E1568E8E2164149F30763B7F3043D | logout.aspx | ASP/Webshell.H | BackdoorDiplomacy webshell – variant N2 |
| 32EF3F67E06C43C18E34FB56E6E62A6534D1D694 | current.aspx | ASP/Webshell.O | BackdoorDiplomacy webshell – variant S1 |
| 8C4D2ED23958919FE10334CCFBE8D78CD0D991A8 | errorEE.aspx | ASP/Webshell.J | BackdoorDiplomacy webshell – variant N1 |
| C0A3F78CF7F0B592EF813B15FC0F1D28D94C9604 | App_Web_xcg2dubs.dll | MSIL/Webshell.C | BackdoorDiplomacy webshell – variant N3 |
| CDD583BB6333644472733617B6DCEE2681238A11 | N/A | Linux/Agent.KD | Linux Turian backdoor |
| FA6C20F00F3C57643F312E84CC7E46A0C7BABE75 | N/A | Linux/Agent.KD | Linux Turian backdoor |
| 5F87FBFE30CA5D6347F4462D02685B6E1E90E464 | ScnCfg.exe | Win32/Agent.TGO | Windows Turian backdoor |
| B6936BD6F36A48DD1460EEB4AB8473C7626142AC | VMSvc.exe | Win32/Agent.QKK | Windows Turian backdoor |
| B16393DFFB130304AD627E6872403C67DD4C0AF3 | svchost.exe | Win32/Agent.TZI | Windows Turian backdoor |
| 9DBBEBEBBA20B1014830B9DE4EC9331E66A159DF | nvsvc.exe | Win32/Agent.UJH | Windows Turian backdoor |
| 564F1C32F2A2501C3C7B51A13A08969CDC3B0390 | AppleVersions.dll | Win64/Agent.HA | Windows Turian backdoor |
| 6E1BB476EE964FFF26A86E4966D7B82E7BACBF47 | MozillaUpdate.exe | Win32/Agent.UJH | Windows Turian backdoor |
| FBB0A4F4C90B513C4E51F0D0903C525360FAF3B7 | nvsvc.exe | Win32/Agent.QAY | Windows Turian backdoor |
| 2183AE45ADEF97500A26DBBF69D910B82BFE721A | nvsvcv.exe | Win32/Agent.UFX | Windows Turian backdoor |
| 849B970652678748CEBF3C4D90F435AE1680601F | efsw.exe | Win32/Agent.UFX | Windows Turian backdoor |
| C176F36A7FC273C9C98EA74A34B8BAB0F490E19E | iexplore32.exe | Win32/Agent.QAY | Windows Turian backdoor |
| 626EFB29B0C58461D831858825765C05E1098786 | iexplore32.exe | Win32/Agent.UFX | Windows Turian backdoor |
| 40E73BF21E31EE99B910809B3B4715AF017DB061 | explorer32.exe | Win32/Agent.QAY | Windows Turian backdoor |
| 255F54DE241A3D12DEBAD2DF47BAC5601895E458 | Duser.dll | Win32/Agent.URH | Windows Turian backdoor |
| A99CF07FBA62A63A44C6D5EF6B780411CF1B1073 | Duser.dll | Win64/Agent.HA | Windows Turian backdoor |
| 934B3934FDB4CD55DC4EA1577F9A394E9D74D660 | Duser.dll | Win32/Agent.TQI | Windows Turian backdoor |
| EF4DF176916CE5882F88059011072755E1ECC482 | iexplore32.exe | Win32/Agent.QAY | Windows Turian backdoor |
Table #2: IOCs
Persistence Directories:
C:\Program Files\hp
C:\ProgramData\ESET
C:\ProgramData\Mozilla
C:\Program Files\Windows Mail\en-US\
%LOCALAPPDATA%\Microsoft\InstallAgent\Checkpoints\
C:\ProgramData\ESET\ESET Security\Logs\eScan\
%USERPROFILE%\ESET\ESET Security\Logs\eScan\
C:\Program Files\hp\hponcfg\
C:\Program Files\hp\hpssa\
C:\hp\hpsmh\
C:\ProgramData\Mozilla\updates\
Network C&Cs:
Table #3: Network C&Cs
DDNS providers:
Table#4: DDNS providers:
MITRE ATT&CK techniques
Table #5: MITRE ATT&CK techniques
Thanks for reading the threat post. Please try to pass this information and help curbing the Cyber Espionage Campaign.
You may also like these articles:
Researchers Identified New Chinese Spying Campaign Targeting Southeast Asia
How Attackers Abused Google Search to Distribute Trojanized AnyDesk Installer?
A New MSBuild Fileless Malware Campaign in Which Threat Actors Used MSBuild to Deliver RATs
How Is Microsoft Exchange Vulnerability Being Exploited by Prometei Potnet?
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- November 20, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- November 20, 2024
