BackdoorDiplomacy

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]

ID: G0135
Contributors: Zaw Min Htun, @Z3TAE
Version: 1.0
Created: 21 September 2021
Last Modified: 18 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1074 .001 Data Staged: Local Data Staging

BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.[1]

Enterprise T1190 Exploit Public-Facing Application

BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

BackdoorDiplomacy has executed DLL search order hijacking.[1]

Enterprise T1105 Ingress Tool Transfer

BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.[1]

.005 Masquerading: Match Legitimate Name or Location

BackdoorDiplomacy has dropped implants in folders named for legitimate software.[1]

Enterprise T1046 Network Service Discovery

BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.[1]

Enterprise T1095 Non-Application Layer Protocol

BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.[1]

Enterprise T1027 Obfuscated Files or Information

BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[1]

Enterprise T1588 .001 Obtain Capabilities: Malware

BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.[1]

.002 Obtain Capabilities: Tool

BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.[1]

Enterprise T1120 Peripheral Device Discovery

BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.[1]

Enterprise T1049 System Network Connections Discovery

BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.[1]

Software

ID Name References Techniques
S0020 China Chopper [1] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [1] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0262 QuasarRAT [1] Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0647 Turian [1] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Python, Data Obfuscation: Junk Data, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Obfuscated Files or Information, Peripheral Device Discovery, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery

References