BackdoorDiplomacy has been linked to a new wave of attacks on Iranian government organisations that happened between July and late December 2022.
Palo Alto Networks Unit 42, which is keeping an eye on the activity under the name “Playful Taurus,” which is a reference to a constellation, said that it saw government domains trying to connect to malware infrastructure that had already been linked to the enemy.
The Chinese APT group, which goes by the names APT15, KeChang, NICKEL, and Vixen Panda, has been running cyber espionage campaigns against government and diplomatic organisations in North America, South America, Africa, and the Middle East since at least 2010.
“we assess that it is used only by Playful Taurus actors.”
– Palo Alto Networks Unit 42
In June 2021, the Slovak cybersecurity company ESET figured out how the hacking crew used a custom implant called Turian to break into diplomatic and telecommunications companies in Africa and the Middle East.
Then, in December 2021, Microsoft said that it had taken over 42 domains that the group used to attack 29 countries. It also said that the group used exploits on unpatched systems to get into web applications like Microsoft Exchange and SharePoint that were accessible from the internet.
Most recently, the threat actor was linked to an attack on an unnamed telecom company in the Middle East. The attack used Quarian, an older version of Turian that lets a remote point of access into targeted networks.
In a report shared with The Hacker News, Unit 42 said that Turian “remains under active development” and that “we assess that it is used only by Playful Taurus actors.” It also said that it had found new versions of the backdoor used in attacks on Iran.
The cybersecurity company also said that it saw four different Iranian organisations, including the Ministry of Foreign Affairs and the Natural Resources Organization, connect to a known command-and-control (C2) server linked to the group.
“The fact that these connections to infrastructure controlled by Playful Taurus happen every day suggests that these networks have probably been broken,” it said.
The C2 servers are now easier to find in the new versions of the Turian backdoor, which also have a new decryption algorithm. But the malware is generic in the sense that it only has basic features like updating the C2 server to connect to, running commands, and making reverse shells.
BackdoorDiplomacy’s desire to target Iran is said to have geopolitical implications because it comes at the same time that China and Iran signed a 25-year agreement to work together on economic, military, and security issues.
Researchers from Unit 42 said that the playful Taurus continue to change their strategies and tools. “Recent improvements to the Turian backdoor and a new C2 infrastructure suggest that these actors are still having success with their cyber espionage campaigns.”
Info source – The Hacker News