threat actor known as backdoor diplomacy is associated with a new wave of attacks targeting Iranian government entities from July to late December 2022.
Palo Alto Networks Unit 42 tracks activity under it. constellation themed nickname playful taurusobserved a government domain attempting to connect to malware infrastructure previously identified as associated with the adversary.
The Chinese APT group, also known as APT15, KeChang, NICKEL, and Vixen Panda, has a history of cyber espionage targeting government and diplomatic organizations in North America, South America, Africa, and the Middle East since at least 2010.
In June 2021, Slovak cybersecurity firm ESET used a custom implant called Turian to uncover intrusions staged by hacking crews into diplomatic and telecommunications companies in Africa and the Middle East.
Then, in December 2021, Microsoft announced it had seized 42 domains operated by the group in an attack targeting 29 countries, using exploits against unpatched systems to compromise Microsoft Exchange. and compromised Internet-facing web applications such as SharePoint.
The attackers were recently attributed to attacking an unnamed telecommunications company in the Middle East using Turian’s predecessor, Quarian, which allows remote access points to target networks.
Turian “assessed it is in active development and is only used by Playful Taurus actors,” Unit 42 said. Said In a report shared with The Hacker News, it added that it discovered a new variant of the backdoor used in the Iran-specific attack.
The cybersecurity firm further observed four different Iranian organizations, including the Ministry of Foreign Affairs and the Natural Resources Agency, reaching out to known command-and-control (C2) servers attributed to the group.
“The persistent daily nature of these connections to Playful Taurus-controlled infrastructure suggests the potential for compromise of these networks,” it said.
The new version of the Turian backdoor features additional obfuscation and an updated decryption algorithm used to extract the C2 server. However, the malware itself is generic, providing basic functionality to update and connect to a C2 server, execute commands, and spawn a reverse shell.
Backdoor Diplomacy’s interest in targeting Iran is said to have geopolitical extensions as it is set against the backdrop of a 25-year-old comprehensive agreement. cooperation agreement It was signed between China and Iran to promote economic, military and security cooperation.
“Playful Taurus continues to evolve their tactics and tools,” the researchers said. “Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to be successful in their cyber espionage campaigns.”
