ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > BackdoorDiplomacy

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: BackdoorDiplomacy

NamesBackdoorDiplomacy (ESET)
Country[Unknown]
MotivationInformation theft and espionage
First seen2017
Description(ESET) BackdoorDiplomacy is a group that primarily targets diplomatic organizations in the Middle East and Africa, and less frequently, telecommunication companies. Their initial attack methodology is focused on exploiting vulnerable internet-exposed applications on webservers, in order to drop and execute a webshell. Post compromise, via the webshell, BackdoorDiplomacy deploys open-source software for reconnaissance and information gathering, and favors the use of DLL search order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin.

BackdoorDiplomacy shares tactics, techniques, and procedures with other Asian groups. Turian likely represents a next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the United States. Turian’s network encryption protocol is nearly identical to the network encryption protocol used by Whitebird, a backdoor operated by Calypso, another Asian group. Whitebird was deployed within diplomatic organizations in Kazakhstan and Kyrgyzstan during the same timeframe as BackdoorDiplomacy (2017-2020). Additionally, BackdoorDiplomacy and Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon use the same techniques and tactics to drop their backdoors on systems, namely the aforementioned DLL search order hijacking.
ObservedSectors: Government, Telecommunications.
Countries: Albania, Bhutan, Croatia, Georgia, Germany, Ghana, India, Libya, Namibia, Nigeria, Poland, Saudi Arabia, South Africa, Sri Lanka, UAE, Uzbekistan.
Tools usedDoublePulsar, EarthWorm, EternalBlue, Mimikatz, nbtscan, netcat, PortQry, SMBTouch, Turian and EternalRocks and EternalSynergy.
Information<https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/>

Last change to this card: 15 June 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key