Cybersecurity researchers from ESET have identified a new APT group targeting various countries Ministry of Foreign Affairs and Telecommunication companies since atleast 2017.
Researcher stated “For initial infection vectors, the group favors exploiting vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment. “
“Once on a system, its operators make use of open-source tools for scanning the environment and lateral movement. Interactive access is achieved in two ways: (1) via a custom backdoor we are calling Turian that is derived from the Quarian backdoor; and (2) in fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed. ” Stated in the ESET’s Statement.
While the APT targets servers with internet-exposed ports, it also tries to exploit unpatched vulnerabilities or poorly configured file upload functionality.
On the first instance, researchers observed the APT groups exploit F5 BIG-IP vulnerability(CVE-2020-5902) to drop the Linux backdoor. on another instance, Microsoft Exchange server where also exploited via the PowerShell dropper which installed China Chopper(Web shell).

On the Third instance, researchers also observed a Plesk server which was poorly configured on file upload feature was used to execute another Webshell similar to China Chopper.
Indicator’s of Compromise:
SHA-1 | Filename | ESET Detection Name | Description |
---|---|---|---|
3C0DB3A5194E1568E8E2164149F30763B7F3043D | logout.aspx | ASP/Webshell.H | BackdoorDiplomacy webshell – variant N2 |
32EF3F67E06C43C18E34FB56E6E62A6534D1D694 | current.aspx | ASP/Webshell.O | BackdoorDiplomacy webshell – variant S1 |
8C4D2ED23958919FE10334CCFBE8D78CD0D991A8 | errorEE.aspx | ASP/Webshell.J | BackdoorDiplomacy webshell – variant N1 |
C0A3F78CF7F0B592EF813B15FC0F1D28D94C9604 | App_Web_xcg2dubs.dll | MSIL/Webshell.C | BackdoorDiplomacy webshell – variant N3 |
CDD583BB6333644472733617B6DCEE2681238A11 | N/A | Linux/Agent.KD | Linux Turian backdoor |
FA6C20F00F3C57643F312E84CC7E46A0C7BABE75 | N/A | Linux/Agent.KD | Linux Turian backdoor |
5F87FBFE30CA5D6347F4462D02685B6E1E90E464 | ScnCfg.exe | Win32/Agent.TGO | Windows Turian backdoor |
B6936BD6F36A48DD1460EEB4AB8473C7626142AC | VMSvc.exe | Win32/Agent.QKK | Windows Turian backdoor |
B16393DFFB130304AD627E6872403C67DD4C0AF3 | svchost.exe | Win32/Agent.TZI | Windows Turian backdoor |
9DBBEBEBBA20B1014830B9DE4EC9331E66A159DF | nvsvc.exe | Win32/Agent.UJH | Windows Turian backdoor |
564F1C32F2A2501C3C7B51A13A08969CDC3B0390 | AppleVersions.dll | Win64/Agent.HA | Windows Turian backdoor |
6E1BB476EE964FFF26A86E4966D7B82E7BACBF47 | MozillaUpdate.exe | Win32/Agent.UJH | Windows Turian backdoor |
FBB0A4F4C90B513C4E51F0D0903C525360FAF3B7 | nvsvc.exe | Win32/Agent.QAY | Windows Turian backdoor |
2183AE45ADEF97500A26DBBF69D910B82BFE721A | nvsvcv.exe | Win32/Agent.UFX | Windows Turian backdoor |
849B970652678748CEBF3C4D90F435AE1680601F | efsw.exe | Win32/Agent.UFX | Windows Turian backdoor |
C176F36A7FC273C9C98EA74A34B8BAB0F490E19E | iexplore32.exe | Win32/Agent.QAY | Windows Turian backdoor |
626EFB29B0C58461D831858825765C05E1098786 | iexplore32.exe | Win32/Agent.UFX | Windows Turian backdoor |
40E73BF21E31EE99B910809B3B4715AF017DB061 | explorer32.exe | Win32/Agent.QAY | Windows Turian backdoor |
255F54DE241A3D12DEBAD2DF47BAC5601895E458 | Duser.dll | Win32/Agent.URH | Windows Turian backdoor |
A99CF07FBA62A63A44C6D5EF6B780411CF1B1073 | Duser.dll | Win64/Agent.HA | Windows Turian backdoor |
934B3934FDB4CD55DC4EA1577F9A394E9D74D660 | Duser.dll | Win32/Agent.TQI | Windows Turian backdoor |
EF4DF176916CE5882F88059011072755E1ECC482 | iexplore32.exe | Win32/Agent.QAY | Windows Turian backdoor |
Network
C&Cs
AS | Hoster | IP address | Domain |
---|---|---|---|
AS20473 | AS-CHOOPA | 199.247.9[.]67 | bill.microsoftbuys[.]com |
AS132839 | POWER LINE DATACENTER | 43.251.105[.]218 | dnsupdate.dns2[.]us |
43.251.105[.]222 | |||
AS40065 | Cnservers LLC | 162.209.167[.]154 | |
AS132839 | POWER LINE DATACENTER | 43.225.126[.]179 | http://www.intelupdate.dns1[.]us |
AS46573 | LAYER-HOST | 23.247.47[.]252 | http://www.intelupdate.dns1[.]us |
AS132839 | POWER LINE DATACENTER | 43.251.105[.]222 | winupdate.ns02[.]us |
AS40065 | Cnservers LLC | 162.209.167[.]189 | |
AS25820 | IT7NET | 23.83.224[.]178 | winupdate.ns02[.]us |
23.106.140[.]207 | |||
AS132839 | POWER LINE DATACENTER | 43.251.105[.]218 | |
AS20473 | AS-CHOOPA | 45.76.120[.]84 | icta.worldmessg[.]com |
AS20473 | AS-CHOOPA | 78.141.243[.]45 | |
78.141.196[.]159 | Infoafrica[.]top | ||
45.77.215[.]53 | szsz.pmdskm[.]top | ||
207.148.8[.]82 | pmdskm[.]top | ||
AS132839 | POWER LINE DATACENTER | 43.251.105[.]139 | http://www.freedns02.dns2[.]us |
43.251.105[.]139 | web.vpnkerio[.]com | ||
AS20473 | AS-CHOOPA | 45.77.215[.]53 | |
AS135377 | UCloud (HK) Holdings Group Limited | 152.32.180[.]34 | |
AS132839 | POWER LINE DATACENTER | 43.251.105[.]218 | officeupdates.cleansite[.]us |
AS25820 | IT7NET | 23.106.140[.]207 | dynsystem.imbbs[.]in |
officeupdate.ns01[.]us | |||
systeminfo.oicp[.]net | |||
AS40676 | Psychz Networks | 23.228.203[.]130 | systeminfo.myftp[.]name |
systeminfo.cleansite[.]info | |||
updateip.onmypc[.]net | |||
buffetfactory.oicp[.]io |
DDNS providers
Provider | Domain |
---|---|
expdns[.]net | update.officenews365[.]com |
ezdnscenter[.]com | bill.microsoftbuys[.]com |
changeip[.]org | dnsupdate.dns2[.]us |
dnsupdate.dns1[.]us | |
http://www.intelupdate.dns1[.]us | |
winupdate.ns02[.]us | |
http://www.freedns02.dns2[.]us | |
officeupdates.cleansite[.]us | |
officeupdate.ns01[.]us | |
systeminfo.cleansite[.]info | |
updateip.onmypc[.]net | |
hichina[.]com | Infoafrica[.]top |
domaincontrol[.]com | web.vpnkerio[.]com |
exhera[.]com | dynsystem.imbbs[.]in |
systeminfo.oicp[.]net |
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1