Recently, a new wave of attacks has been discovered targeting Iranian government entities. While investigating the attack infrastructure, Palo Alto researchers found that this cyberespionage operation was most likely carried out by Chinese threat actor BackdoorDiplomacy, between July and late December 2022.
Using new C2 infrastructure
BackdoorDiplomacy starts a campaign with a malware that receives further upgrades and adds new tools during the campaign.
In the recent attack wave, the group likely compromised Iranian government networks belonging to four different organizations, including the Ministry of Foreign Affairs.
The group shifted the hosting of these networks to the attacker-controlled C2 infrastructure and used them to establish connections with malware.
It misused active and expired associated certificates belonging to several agencies, including the Ministry of Foreign Affairs of Senegal, to evade detection.
Discussing the variant
The group is using new variants of a backdoor called Turian, which it adopted in June 2021.
Researchers found a sample of a newer variant packed with VMProtect that contains API obfuscation and a fairly unique XOR decryption function.
This variant has randomized command IDs and it uses these commands for generic functionality such as clean up, C2 updation, commands execution, flag setup, and spawning file explorer and reverse shell threads.
Who is BackdoorDiplomacy?
BackdoorDiplomacy, also known as Playful Taurus or APT15, is a state-sponsored APT group active since at least 2010.
Historically, it has targeted government and diplomatic entities in the Middle East and Africa, as well as in the U.S.
In 2022, the group used Quarian backdoor Pinkman Agent along with several other scanners and proxy/tunneling tools. It adopted defense evasion techniques and many tools for lateral movement.
In August 2021, it exploited ProxyShell in a campaign aimed at a telecommunication firm in the Middle East wherein it deployed the NPS proxy tool and IRAFAU backdoor.
BackdoorDiplomacy is continuously evolving its TTPs during cyberespionage campaigns. Moreover, it routinely deploys the same TTPs with modified tools against other government and diplomatic entities across North and South America, Africa, and the Middle East. The tried and tested methods against other institutions result in higher success rates and the addition and upgradation of tools likely make tracking the group more difficult.