Cybersecurity experts revealed a new cyber espionage cell accountable for a series of targeted operations against diplomatic facilities and telecommunications companies in Africa and the Middle East since at least 2017.

The campaign, dubbed BackdoorDiplomacy, involves targeting vulnerabilities in devices exposed to the web, for example web servers, to conduct a variety of cyber hacking activities, including moving laterally across the network to deploy a custom implant called Turian that's able to exfiltrating sensitive data stored on removable media.

Jean-Ian Boutin, head of threat research at Slovak cybersecurity firm ESET said, "BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups. Turian likely represents a next stage evolution of Quarian, the backdoor last noticed in use in 2013 against diplomatic targets in Syria and also the U.S."

Reconnaissance and lateral movement

Following the initial compromise, the BackdoorDiplomacy group frequently used open-source reconnaissance and Red Team technologies to scan environmental surroundings for brand new attack targets and lateral movement. The tools listed include:

EarthWorm is a basic network tunnel that includes SOCKS v5 server and port transfer features.
Mimikatz, as well as various versions such as SafetyKatz
Nbtscan, a command-line NetBIOS scanner for Windows
NetCat, a network program that reads and sends data over network connections.
PortQry, a program that displays the status of TCP and UDP ports on remote systems
SMBTouch, used to determine if a target is vulnerable to EternalBlue

Various NSA tools from the ShadowBrokers dump, including although not limited to:

DoublePulsar
EternalBlue
EternalRocks
EternalSynergy

The next directories are frequently employed for staging recon and lateral movement tools:

C:\Program Files\Windows Mail\en-US\
%LOCALAPPDATA%\Microsoft\InstallAgent\Checkpoints\
C:\ProgramData\ESET\ESET Security\Logs\eScan\
%USERPROFILE%\ESET\ESET Security\Logs\eScan\
C:\Program Files\hp\hponcfg\
C:\Program Files\hp\hpssa\
C:\hp\hpsmh\
C:\ProgramData\Mozilla\updates\

Cybercriminal group can attack both Windows and Linux os's

The cross-platform group has the capacity to attack both Windows and Linux operating systems. They target management interfaces for network devices and servers with open ports on the web, probably using the China Chopper web shell for initial access and using it to explore and install the backdoor.

Platforms attacked include F5 BIG-IP devices (CVE-2020-5902), Exchange Server, and Plesk web hosting control panels. Victims happen to be identified at Foreign Ministries in several African countries in addition to Europe, Middle East, and Asia. In addition to that, African telecommunications providers and a minimum of one Middle Eastern charity were targeted.

BackdoorDiplomacy is believed to overlap with previously documented activities of the Chinese-language organization called CloudComputing, Kaspersky said.

Based on ESET, the network encryption protocol utilized by Turian is nearly just like that utilized by WhiteBird, a C++ backdoor operated by an Asian threat actor called Calypso which was installed in diplomatic organizations in Kazakhstan and Kyrgyzstan during the same period of time as Backdoo.