• Home
  • |
  • Blog
  • |
  • How BackdoorDiplomacy APT Group Uses Turian Backdoor To Carryout Cyber Espionage Campaign?
BackdoorDiplomacy APT Group | Turian Backdoor | Cyber Espionage Campaign

Cybersecurity researchers disclosed a new Turian Backdoor used to carry out a cyber espionage campaign by BackdoorDiplomacy APT Group on Thursday that has been behind a sequence of targeted attacks against telecommunication companies and diplomatic entities in the Middle East and Africa since 2017. The threat actor is known as “Backdoor Diplomacy” due to the use of Turian Backdoor and its priority for diplomatic targets.  

The Backdoor Diplomacy APT Group involves targeting the vulnerabilities in internet-exposed devices, such as web servers, for cybercriminal activities. These include lateral movement across a network to deploy the custom implant known as Turian. It is capable of exfiltrating sensitive information stored in removable media.

What Is Cyber Espionage Campaign?

The Cyber Espionage Campaign targets the victim with the help of a previously undocumented kind of malware that brings a secret backdoor onto the compromised Windows systems. Cyber spying or cyber espionage is a kind of cyber attack in which an unauthorized user tries to access classified or sensitive data and intellectual property for competitive advantage, economic gain, or political reasons.

 In some scenarios, a data breach is intended to cause reputational damage to the target by exposing sensitive data or questionable business practices. The most common victims of cyber espionage campaigns include government agencies, large corporations, academic institutions, or organizations that possess technical data and valuable IP to create a competitive advantage over other organizations.

What Is A Backdoor Malware?

A backdoor attack is a kind of malware that gives hackers unauthorized access to a website. As a result, hackers can remotely access an application, such as file servers and databases. The backdoor provides a safe path for perpetrators the ability to issue system commands and update malware.

Hackers install malware through unsecured entry points, such as input fields or outdated plug-ins. Once they enter a website or an application, they can access all your company’s data, including users’ personally identifiable information.

Web Server backdoor can be used for several malicious activities, including

  • Launching of distributed denial of service (DDoS) attacks
  • Advanced persistent threat
  • Infecting website visitors
  • Server hijacking
  • Website defacing

About BackdoorDiplomacy APT Group

The Backdoor diplomacy APT Group is seen targeting the regional diplomatic organizations in Asia and Africa, and rarely telecommunication companies. Researchers observed that the campaign was conducted on public-facing servers within the target organizations spying on network traffic and sending commands to compromised hosts. The Backdoor diplomacy APT group uses the Moriya rootkit to deploy the passive backdoor that allows cybercriminals to analyze incoming traffic to the infected system, Kaspersky says.

The APT group is linked with several other Asian groups. Most common among them is the link between the Quarian backdoor and the Turian backdoor. It is also connected with a group referred to as “CloudComputating” analyzed by Sophos.

About Turian Backdoor

Kaspersky reported that both Quarian and Turian backdoors had targeted the same set of victims. On top of that, there are certain similarities seen between the two malware. This concludes cybersecurity researchers that Turin is derived from the Quarian.

Mutex used in Turin to verify that only one instance is running is named differently than the Mutex seen in Quarian. Here you see a few Mutex captured during the analysis of Turin.

  • winsupdatetw
  • clientsix
  • client
  • updatethres
  • Others: dynamically generated based on the system’s hostname, limited to eight hex characters, lower-case, and prefaced with a leading zero.

Here are some of the capabilities discovered:

  • Get system information, such as OS version, local hostname, memory usage, system adapter info, current username, internal IP, domain data, and state of the directory service installation.
  • Spawn the new thread, accept the command and wait for the three-digit commands.
  • Take a screenshot.
  • Write file
  • List directory
  • Move file
  • Delete file
  • Get startup info

Victims Of BackdoorDiplomacy APT Group

Turin is seen targeting the same victims that Quarian has targeted. The trend of targeting Ministries of Foreign Affairs continues with Turian as well. If we come to this cyber-espionage campaign, Ministries of Foreign Affairs of several African countries, as well as in Europe, the Middle East, and Asia are targeted. Additionally, the campaign has been carried out on telecommunication companies in Africa and Middle Eastern charities. Tactics, techniques, and procedures (TTPs) remain the same in each case, but the tools used are different.

How BackdoorDiplomacy APT Group Carry Out Cyber Espionage Campaign?

Fig #1: How BackdoorDiplomacy APT Group Carryout Cyber Espionage Campaign

Let’s see how BackdoorDiplomacy APT Group Carryout Cyber Espionage Campaign?

BackdoorDiplomacy APT group compromise the internet exposed devices in two ways:

  1. Turian Backdoor, which is derived from Quarian.
  2. Open-source remote access tools

In several instances, it has been seen that the attackers have targeted removable media for data collection or exfiltration. Both Windows and Linux platforms are targeted using the backdoor.

BackdoorDiplomacy APT Exploit Chain:

  1. Initially, the BackdoorDiplomacy APT group targets the victim via ports exposed to the internet, likely exploiting unpatched vulnerabilities or poorly enforced file-upload security. In one instance, attackers exploited an unpatched F5 BIP-IP vulnerability (CVE-2020-5902) to drop a backdoor on a Linux system. In the second example, they exploited a Microsoft Exchange server and installed China Chopper using a PowerShell dropper.
  2. After the initial compromise, the BackdoorDiplomacy APT group launch Recon attacks to explore the network for additional targets, which helps in lateral movement. In many instances, the attacker group has used open-source reconnaissance and red-team tools to perform reconnaissance.
    1. EarthWorm
    2. Mimikatz
    3. Nbtscan
    4. NetCat
    5. PortQry
    6. SMBTouch
    7. Various tools from the ShadowBrokers dump of NSA tools including, but not limited to:
      1. DoublePulsar
      2. EternalBlue
      3. EternalRocks
      4. EternalSynergy
  3. Next, the group will implant the dropper on the identified target machines, which later installs the Turin Backdoor. In many instances, attackers have disguise their backdoor droppers to cover from detection and implant them in these locations. In one example, the group has used a web shell to drop ScnCfg.exe, a program that writes Turin code to the memory and executes it.
    1. C:\Program Files\hp
    2. C:\ProgramData\ESET
    3. C:\ProgramData\Mozilla
  4. After initial execution, the Turian backdoor establishes persistence by creating the file tmp.bat in the present working directory then crests a couple of registry keys. Thereafter Turin will try to communicate with C2 servers (IPs and domains are stored in Sharedaccess.ini) and shares the data to the servers over an encrypted channel.
  1. Block the IOCs on your Proxies, EDR Tools, Microsoft O365, and Firewalls.
  2. Check Firewall and Internet proxy logs for the C&C connections and isolate the host if suspected.
  3. Run anti-malware scans capture IOCs in the reports
  4. Impose blocks on the shell scripts at the EndPoint level.
  5. run these checks 

Turian Backdoor commands:

IDDescription
0x01Get system information including OS version, memory usage, local hostname, system adapter info, internal IP, current username, state of the directory service installation and domain data.
0x02Interactive shell – copy %WINDIR%\system32\cmd.exe to %WINDIR%\alg.exe and spawn alg.exe in a new thread.
0x03Spawn a new thread, acknowledge the command and wait for one of the three-digit commands below.
0x04Take screenshot.
0x103/203Write file.
0x403List directory.
0x503Move file.
0x603Delete file.
0x703Get startup info.
Table #1: Turian Backdoor commands:

IOCs: To Detect Turian Backdoor:

File Samples:

SHA-1FilenameESET Detection NameDescription
3C0DB3A5194E1568E8E2164149F30763B7F3043Dlogout.aspxASP/Webshell.HBackdoorDiplomacy webshell – variant N2
32EF3F67E06C43C18E34FB56E6E62A6534D1D694current.aspxASP/Webshell.OBackdoorDiplomacy webshell – variant S1
8C4D2ED23958919FE10334CCFBE8D78CD0D991A8errorEE.aspxASP/Webshell.JBackdoorDiplomacy webshell – variant N1
C0A3F78CF7F0B592EF813B15FC0F1D28D94C9604App_Web_xcg2dubs.dllMSIL/Webshell.CBackdoorDiplomacy webshell – variant N3
CDD583BB6333644472733617B6DCEE2681238A11N/ALinux/Agent.KDLinux Turian backdoor
FA6C20F00F3C57643F312E84CC7E46A0C7BABE75N/ALinux/Agent.KDLinux Turian backdoor
5F87FBFE30CA5D6347F4462D02685B6E1E90E464ScnCfg.exeWin32/Agent.TGOWindows Turian backdoor
B6936BD6F36A48DD1460EEB4AB8473C7626142ACVMSvc.exeWin32/Agent.QKKWindows Turian backdoor
B16393DFFB130304AD627E6872403C67DD4C0AF3svchost.exeWin32/Agent.TZIWindows Turian backdoor
9DBBEBEBBA20B1014830B9DE4EC9331E66A159DFnvsvc.exeWin32/Agent.UJHWindows Turian backdoor
564F1C32F2A2501C3C7B51A13A08969CDC3B0390AppleVersions.dllWin64/Agent.HAWindows Turian backdoor
6E1BB476EE964FFF26A86E4966D7B82E7BACBF47MozillaUpdate.exeWin32/Agent.UJHWindows Turian backdoor
FBB0A4F4C90B513C4E51F0D0903C525360FAF3B7nvsvc.exeWin32/Agent.QAYWindows Turian backdoor
2183AE45ADEF97500A26DBBF69D910B82BFE721Anvsvcv.exeWin32/Agent.UFXWindows Turian backdoor
849B970652678748CEBF3C4D90F435AE1680601Fefsw.exeWin32/Agent.UFXWindows Turian backdoor
C176F36A7FC273C9C98EA74A34B8BAB0F490E19Eiexplore32.exeWin32/Agent.QAYWindows Turian backdoor
626EFB29B0C58461D831858825765C05E1098786iexplore32.exeWin32/Agent.UFXWindows Turian backdoor
40E73BF21E31EE99B910809B3B4715AF017DB061explorer32.exeWin32/Agent.QAYWindows Turian backdoor
255F54DE241A3D12DEBAD2DF47BAC5601895E458Duser.dllWin32/Agent.URHWindows Turian backdoor
A99CF07FBA62A63A44C6D5EF6B780411CF1B1073Duser.dllWin64/Agent.HAWindows Turian backdoor
934B3934FDB4CD55DC4EA1577F9A394E9D74D660Duser.dllWin32/Agent.TQIWindows Turian backdoor
EF4DF176916CE5882F88059011072755E1ECC482iexplore32.exeWin32/Agent.QAYWindows Turian backdoor
Table #2: IOCs

Persistence Directories:

  • C:\Program Files\hp
  • C:\ProgramData\ESET
  • C:\ProgramData\Mozilla
  • C:\Program Files\Windows Mail\en-US\
  • %LOCALAPPDATA%\Microsoft\InstallAgent\Checkpoints\
  • C:\ProgramData\ESET\ESET Security\Logs\eScan\
  • %USERPROFILE%\ESET\ESET Security\Logs\eScan\
  • C:\Program Files\hp\hponcfg\
  • C:\Program Files\hp\hpssa\
  • C:\hp\hpsmh\
  • C:\ProgramData\Mozilla\updates\

Network C&Cs:

Table #3: Network C&Cs

DDNS providers:

Table#4: DDNS providers:

MITRE ATT&CK techniques

Table #5: MITRE ATT&CK techniques

Thanks for reading the threat post. Please try to pass this information and help curbing the Cyber Espionage Campaign.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.