• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Threat Intelligence

BackdoorDiplomacy APT Group Targets Middle Eastern Telecoms in Espionage Campaign

APT group BackdoorDiplomacy is targeting Middle East telecoms with a mix of legitimate and bespoke tools to evade detection.

Gwendal SmithbyGwendal Smith
March 1, 2023
in Articles, Cyber Attacks, Threat Intelligence
0
BackdoorDiplomacy APT Group Targets Middle Eastern Telecoms in Espionage Campaign

A new cyber espionage campaign targeting a telecom company in the Middle East has been attributed to the Chinese advanced persistent threat (APT) group BackdoorDiplomacy. The group is known for its attacks on diplomatic entities and telecom companies in the Middle East and Africa, deploying the Quarian/Turian/Whitebird backdoor. The campaign was discovered in August 2021, and the attackers used a mix of legitimate and bespoke tools to carry out reconnaissance, harvest data, move laterally across the victim’s environment, and evade detection.

The BackdoorDiplomacy APT Group

BackdoorDiplomacy is an APT group that primarily targets diplomatic entities and telecom companies in the Middle East and Africa. The group has been active since at least 2016 and is known for its use of the Quarian/Turian/Whitebird backdoor, as well as other bespoke and open-source tools. The group is believed to be state-sponsored, and its motives are likely related to intelligence gathering and espionage.

BackdoorDiplomacy is also tracked as the Calypso group by Positive Technology, CloudComputating by Kaspersky and BackdoorDiplomacy by Bitdefender and ESET.

BackdoorDiplomacy’s Modus Operandi

The attackers gained initial access to the victim’s environment by exploiting ProxyShell vulnerabilities in the Microsoft Exchange Server. They then used a mix of legitimate and bespoke tools to carry out reconnaissance, harvest data, move laterally across the environment, and evade detection.

The tools used included the NPS proxy tool, IRAFAU backdoor, an updated version of the Quarian backdoor, and Impersoni-fake-ator, which was embedded into legitimate utilities like DebugView and Putty. The attackers also used open-source software such as ToRat and AsyncRAT.

BackdoorDiplomacy’s Malware Arsenal

The first malware component delivered by the attackers was the IRAFAU backdoor, which was used for information discovery and lateral movement. The backdoor facilitated the downloading and uploading of files to and from the command-and-control (C2) server, launching a remote shell, and executing arbitrary files. The second backdoor used in the operation was an updated version of the Quarian backdoor, which gave the attackers broader control over the compromised host.

The attackers also used Impersoni-fake-ator, a tool designed to capture system metadata and execute a decrypted payload received from the C2 server.

Conclusion

The victim of the attack was a telecom company in the Middle East. The attackers likely targeted the company for its strategic importance and the sensitive information it possesses. The APT group BackdoorDiplomacy/Calypso/CloudComputating has been identified as the perpetrator.

The attackers used a variety of tools, including the IRAFAU and Quarian backdoors, to carry out reconnaissance, harvest data, move laterally across the victim’s environment, and evade detection. The attackers’ motives are likely related to intelligence gathering and espionage.

The discovery of this campaign highlights the continuing threat posed by state-sponsored APT groups to organizations in the Middle East and elsewhere, and underscores the importance of implementing robust cybersecurity measures to protect against such threats.

Tags: APTBackdoorDiplomacyCalypsoCloudComputatingGeopoliticsImpersoni-fake-atorIRAFAUMiddle EastQuarianTelco

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Why Lockbit does fake cyberattacks ?

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}