BackdoorDiplomacy

BackdoorDiplomacy is an APT (Advanced Persistent Threat) group focused on carrying out attack operations against diplomatic targets in Africa, Europe, the Middle East and Asia. The victims of the group also include the Ministries of Foreign Affairs of several African countries. Less frequently, BackdoorDiplomacy has been involved in breach operations against telecommunication companies and charitable organizations. 

The initial infection vectors exploited by BackdoorDiplomacy include finding vulnerable internet-exposed systems and applications on Web servers. The hackers have been observed to exploit an F5 BIP-IP vulnerability (CVE-2020-5902) to drop a Linux backdoor while in another attack they abused a Microsoft Exchange server through a PowerShell dropper that delivered a well-document Web shell named China Chopper. As these instances clearly show, BackdoorDiplomacy has cross-platform malicious tools that can affect both Windows and Linux systems.

Post-Infection Activities

Once a breach point into the victim's network has been established, BackdoorDiplomacy uses a multitude of open-source tools for reconnaissance and lateral movement. Among the observed tools used by the group are EarthWorm - a network tunnel, Mimikatz, Nbtscan, NetCat - networking utility capable of reading and writing data across network connections, PortQry, SMBTouch, and several tools that were leaked in the ShadowBrokers NSA data dump. 

Ultimately, the group delivers its signature malicious instrument named Turian Backdoor. Analysis of the malware has revealed that BackdoorDiplomacy developed Turian based on a backdoor threat named Quarian. This earlier backdoor was leveraged against a similar set of targets in a series of attacks that were aimed at diplomatic entities located in Syria and the United States. It should be noted that Backdoor Diplomacy also drops a separate executable payload tasked with detecting any removable storage devices connected to the compromised system. It can then copy their contents and store them in the main drive's recycle bin. 

Connections to Other Threat Actors

BackdoorDiplomacy exhibits certain overlaps with other cybercriminal groups from the Asian region. For example, the encryption protocol that Turian uses is almost the same as the one seen in the Whitebird backdoor, a threatening tool attributed to the Calypso group. Whitebird was employed in attacks against diplomatic organizations from Kazakhstan and Kyrgyzstan during the same time frame as the BackdoorDiplomacy operations. An overlap can also be established between BackdoorDiplomacy and another group named APT15 as both rely on the same techniques and procedures when deploying their respective backdoor payloads - mainly the DLL search order hijacking.