December 6, 2022Rabbi LakshmananAdvanced Persistent Threats

Malicious campaigns targeting the Middle East backdoor diplomacyis an APT (Advanced Persistent Threat) group with links to China.

The espionage campaign against telecommunications companies in the region is said to have started on August 19, 2021 with the successful exploitation of a ProxyShell vulnerability in Microsoft Exchange Server.

The initial compromise utilized binaries vulnerable to sideloading techniques, then used a combination of legitimate and bespoke tools to conduct reconnaissance, gather data, and laterally traverse the entire environment. to avoid detection.

Bitdefender researchers Victor Vrabie and Adrian Schipor report Share with Hacker News.

“Since February 2022, attackers have used different tools. [the] Quarian backdoors and many other scanners and proxy/tunneling tools. ”

cyber security

BackdoorDiplomacy was first documented by ESET in June 2021. This incursion was primarily aimed at diplomatic agencies and telecommunications companies in Africa and the Middle East to deploy the Quarian (aka Turian or Whitebird).

latest cyber attack

The attack’s espionage motivation is evidenced through the use of keyloggers and PowerShell scripts designed to collect email content. IRAFAU, the first malware component delivered after gaining a foothold, is used for information discovery and lateral movement.

This is facilitated by downloading and uploading files to and from command and control (C2) servers, launching remote shells and executing arbitrary files.

The second backdoor used in this campaign is an updated version of Quarian with a broader feature set for controlling compromised hosts.

A tool called Impersoni-fake-ator is also used and embedded in legitimate utilities such as: DebugView Putty, designed to retrieve system metadata and execute decrypted payloads received from C2 servers.

This intrusion is further characterized by the use of open source software such as: To Ratthe Golang remote management tool, and AsyncRATthe latter may be dropped via Quarian.

Bitdefender’s attribution of the attack to BackdoorDiplomacy comes from the duplication of C2 infrastructure that the group used in previous campaigns.

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog