A new cyber espionage campaign targeting a telecom company in the Middle East has been attributed to the Chinese advanced persistent threat (APT) group BackdoorDiplomacy. The group is known for its attacks on diplomatic entities and telecom companies in the Middle East and Africa, deploying the Quarian/Turian/Whitebird backdoor. The campaign was discovered in August 2021, and the attackers used a mix of legitimate and bespoke tools to carry out reconnaissance, harvest data, move laterally across the victim’s environment, and evade detection.
The BackdoorDiplomacy APT Group
BackdoorDiplomacy is an APT group that primarily targets diplomatic entities and telecom companies in the Middle East and Africa. The group has been active since at least 2016 and is known for its use of the Quarian/Turian/Whitebird backdoor, as well as other bespoke and open-source tools. The group is believed to be state-sponsored, and its motives are likely related to intelligence gathering and espionage.
BackdoorDiplomacy is also tracked as the Calypso group by Positive Technology, CloudComputating by Kaspersky and BackdoorDiplomacy by Bitdefender and ESET.
BackdoorDiplomacy’s Modus Operandi
The attackers gained initial access to the victim’s environment by exploiting ProxyShell vulnerabilities in the Microsoft Exchange Server. They then used a mix of legitimate and bespoke tools to carry out reconnaissance, harvest data, move laterally across the environment, and evade detection.
The tools used included the NPS proxy tool, IRAFAU backdoor, an updated version of the Quarian backdoor, and Impersoni-fake-ator, which was embedded into legitimate utilities like DebugView and Putty. The attackers also used open-source software such as ToRat and AsyncRAT.
BackdoorDiplomacy’s Malware Arsenal
The first malware component delivered by the attackers was the IRAFAU backdoor, which was used for information discovery and lateral movement. The backdoor facilitated the downloading and uploading of files to and from the command-and-control (C2) server, launching a remote shell, and executing arbitrary files. The second backdoor used in the operation was an updated version of the Quarian backdoor, which gave the attackers broader control over the compromised host.
The attackers also used Impersoni-fake-ator, a tool designed to capture system metadata and execute a decrypted payload received from the C2 server.
Conclusion
The victim of the attack was a telecom company in the Middle East. The attackers likely targeted the company for its strategic importance and the sensitive information it possesses. The APT group BackdoorDiplomacy/Calypso/CloudComputating has been identified as the perpetrator.
The attackers used a variety of tools, including the IRAFAU and Quarian backdoors, to carry out reconnaissance, harvest data, move laterally across the victim’s environment, and evade detection. The attackers’ motives are likely related to intelligence gathering and espionage.
The discovery of this campaign highlights the continuing threat posed by state-sponsored APT groups to organizations in the Middle East and elsewhere, and underscores the importance of implementing robust cybersecurity measures to protect against such threats.
