Cybercriminals often leverage sophisticated deceptive techniques to evade detection from federal agencies. Many international cyberespionage campaigns were uncovered after they exploited the target or went undetected. Recently, security researchers from ESET discovered a cybercriminal operation targeting charitable groups, diplomatic organizations, Ministries of Foreign Affairs, telcos, and other companies in Africa, Europe, and the Middle East since 2017.
Dubbed “BackdoorDiplomacy,” the campaign targeted both Windows and Linux operating systems by exploiting vulnerable connected devices like web servers and management interfaces for networking equipment. Upon compromising a system, the attackers leveraged various open-source tools for scanning the environment and lateral movement. The threat actors achieved the interactive access in two ways:
- Through a custom backdoor “Turian,” which is derived from the Quarian backdoor.
- Through the deployment of certain open-source remote access tools, when more direct and interactive access is required. The attackers were also observed targeting removable media for data collection and exfiltration.
Targeting Unpatched Vulnerabilities
The researchers found that the operators behind BackdoorDiplomacy employed advanced tactics, techniques, and procedures (TTPs) to make their tracking more difficult. The group targeted servers with internet-exposed ports, by likely exploiting unpatched bugs or poorly enforced file-upload security.
BackdoorDiplomacy allegedly shares similarities with several other cyber campaigns, especially when it comes to the Turian and the Quarian backdoor.
“In one specific instance, we observed the operators exploit an F5 BIP-IP vulnerability (CVE-2020-5902) to drop a Linux backdoor. In another, a Microsoft Exchange server was exploited via a PowerShell dropper that installed China Chopper, a well-known web shell in use, by various groups, since 2013. In a third, we observed a Plesk server with poorly configured file-upload security execute another web shells similar to China Chopper,” the researchers said.
Red Team Tools Discovered
The BackdoorDiplomacy attackers employed open-source reconnaissance and red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. The discovered tools include:
- EarthWorm– A simple network tunnel with SOCKS v5 server and port transfer functionalities
- Mimikatz– Various versions including SafetyKatz
- Nbtscan– A command-line NetBIOS scanner for Windows
- NetCat– A networking utility that reads and writes data across network connections
- PortQry– A tool to display the status of TCP and UDP ports on remote systems
- SMBTouch – Used to determine whether a target is vulnerable to EternalBlue
A red-team tool/toolkit is an offensive security platform used by red teamers (which are mostly cybercriminals) to perform advanced network operations and exploit the target.
Explaining about the BackdoorDiplomacy activities, Tony Anscombe, the Chief Security Evangelist at ESET said,
Video Courtesy: ESET
“BackdoorDiplomacy initial attack methodology is focused on exploiting vulnerable internet-exposed applications on web servers, to drop and execute a web shell. Post compromise, via the web shell, BackdoorDiplomacy deploys open-source software for reconnaissance and information gathering and favors the use of DLL search order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin,” the researchers added.