Posted on Leave a comment

“BackdoorDiplomacy” APT Group Targets Ministry of Foreign Affairs and Telecom Companies.

Cybersecurity researchers from ESET have identified a new APT group targeting various countries Ministry of Foreign Affairs and Telecommunication companies since atleast 2017.

Researcher stated “For initial infection vectors, the group favors exploiting vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment. “

Once on a system, its operators make use of open-source tools for scanning the environment and lateral movement. Interactive access is achieved in two ways: (1) via a custom backdoor we are calling Turian that is derived from the Quarian backdoor; and (2) in fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed. ” Stated in the ESET’s Statement.

While the APT targets servers with internet-exposed ports, it also tries to exploit unpatched vulnerabilities or poorly configured file upload functionality.

On the first instance, researchers observed the APT groups exploit F5 BIG-IP vulnerability(CVE-2020-5902) to drop the Linux backdoor. on another instance, Microsoft Exchange server where also exploited via the PowerShell dropper which installed  China Chopper(Web shell).

On the Third instance, researchers also observed a Plesk server which was poorly configured on file upload feature was used to execute another Webshell similar to China Chopper.

Indicator’s of Compromise:

SHA-1FilenameESET Detection NameDescription
3C0DB3A5194E1568E8E2164149F30763B7F3043Dlogout.aspxASP/Webshell.HBackdoorDiplomacy webshell – variant N2
32EF3F67E06C43C18E34FB56E6E62A6534D1D694current.aspxASP/Webshell.OBackdoorDiplomacy webshell – variant S1
8C4D2ED23958919FE10334CCFBE8D78CD0D991A8errorEE.aspxASP/Webshell.JBackdoorDiplomacy webshell – variant N1
C0A3F78CF7F0B592EF813B15FC0F1D28D94C9604App_Web_xcg2dubs.dllMSIL/Webshell.CBackdoorDiplomacy webshell – variant N3
CDD583BB6333644472733617B6DCEE2681238A11N/ALinux/Agent.KDLinux Turian backdoor
FA6C20F00F3C57643F312E84CC7E46A0C7BABE75N/ALinux/Agent.KDLinux Turian backdoor
5F87FBFE30CA5D6347F4462D02685B6E1E90E464ScnCfg.exeWin32/Agent.TGOWindows Turian backdoor
B6936BD6F36A48DD1460EEB4AB8473C7626142ACVMSvc.exeWin32/Agent.QKKWindows Turian backdoor
B16393DFFB130304AD627E6872403C67DD4C0AF3svchost.exeWin32/Agent.TZIWindows Turian backdoor
9DBBEBEBBA20B1014830B9DE4EC9331E66A159DFnvsvc.exeWin32/Agent.UJHWindows Turian backdoor
564F1C32F2A2501C3C7B51A13A08969CDC3B0390AppleVersions.dllWin64/Agent.HAWindows Turian backdoor
6E1BB476EE964FFF26A86E4966D7B82E7BACBF47MozillaUpdate.exeWin32/Agent.UJHWindows Turian backdoor
FBB0A4F4C90B513C4E51F0D0903C525360FAF3B7nvsvc.exeWin32/Agent.QAYWindows Turian backdoor
2183AE45ADEF97500A26DBBF69D910B82BFE721Anvsvcv.exeWin32/Agent.UFXWindows Turian backdoor
849B970652678748CEBF3C4D90F435AE1680601Fefsw.exeWin32/Agent.UFXWindows Turian backdoor
C176F36A7FC273C9C98EA74A34B8BAB0F490E19Eiexplore32.exeWin32/Agent.QAYWindows Turian backdoor
626EFB29B0C58461D831858825765C05E1098786iexplore32.exeWin32/Agent.UFXWindows Turian backdoor
40E73BF21E31EE99B910809B3B4715AF017DB061explorer32.exeWin32/Agent.QAYWindows Turian backdoor
255F54DE241A3D12DEBAD2DF47BAC5601895E458Duser.dllWin32/Agent.URHWindows Turian backdoor
A99CF07FBA62A63A44C6D5EF6B780411CF1B1073Duser.dllWin64/Agent.HAWindows Turian backdoor
934B3934FDB4CD55DC4EA1577F9A394E9D74D660Duser.dllWin32/Agent.TQIWindows Turian backdoor
EF4DF176916CE5882F88059011072755E1ECC482iexplore32.exeWin32/Agent.QAYWindows Turian backdoor

Network

C&Cs

ASHosterIP addressDomain
AS20473AS-CHOOPA199.247.9[.]67bill.microsoftbuys[.]com
AS132839POWER LINE DATACENTER43.251.105[.]218dnsupdate.dns2[.]us
43.251.105[.]222
AS40065Cnservers LLC162.209.167[.]154
AS132839POWER LINE DATACENTER43.225.126[.]179http://www.intelupdate.dns1[.]us
AS46573LAYER-HOST23.247.47[.]252http://www.intelupdate.dns1[.]us
AS132839POWER LINE DATACENTER43.251.105[.]222winupdate.ns02[.]us
AS40065Cnservers LLC162.209.167[.]189
AS25820IT7NET23.83.224[.]178winupdate.ns02[.]us
23.106.140[.]207
AS132839POWER LINE DATACENTER43.251.105[.]218
AS20473AS-CHOOPA45.76.120[.]84icta.worldmessg[.]com
AS20473AS-CHOOPA78.141.243[.]45
78.141.196[.]159Infoafrica[.]top
45.77.215[.]53szsz.pmdskm[.]top
207.148.8[.]82pmdskm[.]top
AS132839POWER LINE DATACENTER43.251.105[.]139http://www.freedns02.dns2[.]us
43.251.105[.]139web.vpnkerio[.]com
AS20473AS-CHOOPA45.77.215[.]53
AS135377UCloud (HK) Holdings Group Limited152.32.180[.]34
AS132839POWER LINE DATACENTER43.251.105[.]218officeupdates.cleansite[.]us
AS25820IT7NET23.106.140[.]207dynsystem.imbbs[.]in
officeupdate.ns01[.]us
systeminfo.oicp[.]net
AS40676Psychz Networks23.228.203[.]130systeminfo.myftp[.]name
systeminfo.cleansite[.]info
updateip.onmypc[.]net
buffetfactory.oicp[.]io

DDNS providers

ProviderDomain
expdns[.]netupdate.officenews365[.]com
ezdnscenter[.]combill.microsoftbuys[.]com
changeip[.]orgdnsupdate.dns2[.]us
dnsupdate.dns1[.]us
http://www.intelupdate.dns1[.]us
winupdate.ns02[.]us
http://www.freedns02.dns2[.]us
officeupdates.cleansite[.]us
officeupdate.ns01[.]us
systeminfo.cleansite[.]info
updateip.onmypc[.]net
hichina[.]comInfoafrica[.]top
domaincontrol[.]comweb.vpnkerio[.]com
exhera[.]comdynsystem.imbbs[.]in
systeminfo.oicp[.]net

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply