'BackdoorDiplomacy' Cyber-espionage targets middle eastern telecommunication firms


Bitdefender identified a cyber espionage activity that targets telecommunications firms of the middle east and is operated by Chinese threat actors during his research of analyzing the unknown binaries. Bitdefender believes that this group operate since 2017 and know for attacking the Middle East and Africa and the United States.
ProxyShell Exploit was used to gain initial access to the target's network and it seems that the attack started on 19-08-2021 with the two types of web shell including ReGeorg and another shell created by GitHub user grCod.


According to Bitdefender threat actors used many open-source toolkit for this operation
Private tools
Irafau Backdoor
The IRAFAU backdoor, deployed after the initial access, is the first malware component. It was used to perform
information discovery by running built-in tools and performing lateral movement by copying itself on C$ share and
executing via the schtasks and wmi.
Quarian Backdoor
The second-most-used tool in this operation is Quarian backdoor. Although versions of this backdoor are known under
different names (e.g. Turian, Whitebird), we believe it’s the same tool, but has been improved/modified.
Pinkman Agent
Another tool used in this operation was a binary built with Go we called the Pinkman Agent.
The name of the tool was inspired by a string common to all samples - “pinkmanHeisenberg” - that was used to derive
the key for decrypting the C&C server.
Impersoni-fake-ator
This tool is an interesting piece of malware embedded into a legitimate version of DbgView and Putty, posing as a
legitimate tool to evade detection. Based on that characteristic, we track this tool as impersoni-fake-ator.

open source tools including ToRat, Asyncrat, Merlin,

"Our research points to an operation likely performed by the actor known as BackdoorDiplomacy. The attribution is
based on infrastructure and TTPs common to the current operation and others known to the public. For instance,
the already-known IP address 43.251.105[.]139 was used as C&C by a sample of Quarian variant built on 2022-04-
11. The domains uc.ejalase[.]org and mci.ejalase.org pointed to IP addresses related to other domains used by the
BackdoorDiplomacy in the past. One such domain we believe is support.vpnkerio[.]com as other subdomains of
vpnkerio[.]com are connected to the mentioned threat actor." Bitdefender wrote.

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

CISA Sounds Alarm on ICS Security: Baxter and Mitsubishi Products Affected

  Cybersecurity Alerts: Vulnerabilities in Healthcare and Industrial Control Systems This week, the US Cybersecurity and Infrastructure Secu...