A new APT actor has been discovered by ESET researchers that has been primarily targeting foreign ministries in Africa and the Middle East. dubbed BackdoorDiplomacy, this gang has spent the last four years targeting diplomatic entities across these regions.
What’s going on?
Apart from Africa and the Middle East, the group has claimed victims from Ministries of Foreign Affairs in Asia and Europe as well. Other targets consist of telecom companies in Africa and at least one charity in the Middle East. BackdoorDiplpmacy uses a custom backdoor named Turian that is derived from Quarian and targets both Windows and Linux OS. the report by ESET follows another by Kaspersky that discovered a Chinese threat actor targeting African diplomatic entities last month.
Why does it matter?
The APT group is capable of stealing victims’ system information, take screenshots, and write, move, or delete files. A subset of the victims were targeted with data collection executables that sought out removable media.
Connections to other APT actors
Researchers stated that the group shares certain similarities with various other Asian threat actors.
BackdoorDiplomacy is also suspected to have links with the CloudComputating group.
The Quarian strain has been linked to a Chinese campaign against the U.S. State Department in 2013.
The network encryption protocol implemented by Turian is uncannily similar to that used by Whitebird, a backdoor operated by the Calypso Asian threat actor.
Recent backdoors discovered
While the discovery of BackdoorDiplomacy and the use of Turian raises some serious concerns, several other backdoors have been recently discovered that pose grave threats to the cyber community.
The SharpPanda APT group launched a campaign against a Southeast Asian government and is leveraging the Victory backdoor.
The Facefish backdoor was found targeting Linux x64 systems and is capable of dropping multiple rootkits at different times.
The bottom line
BackdoorDiplomacy comes in the form of another threat against government organizations with the purpose of gathering sensitive information. It shares tactics, techniques, and procedures with other Asian threat actors and is a cross-platform group. The threat actor is capable of evolving and customizing its toolset for different target environments.