BackdoorDiplomacy APT Group Actively Targeting Middle East, Asia, And Africa – Active IOCs

Severity

High

Analysis Summary

The APT group has been active since 2017 and exploits targets in Africa, Asia, and the Middle East. The group exploits vulnerable internet-exposed devices such as management interfaces for networking equipment and web servers. The next step is to use open-source tools for scanning the environment and lateral movement.

Interactive access is achieved in two ways:

1. In fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed.
2. Via a custom backdoor called Turian that is derived from the Quarian backdoor.

Both Windows and Linux operating systems have been targeted with this APT.

CloudComputing is another group that is linked to this APT group. BackdoorDiplomacy uses a network encryption method similar to a backdoor called “Backdoor.Whitebird.1.” by Dr.Web. This backdoor is used to target institutions in Kyrgyzstan and Kazakhstan (both neighbors of a BackdoorDiplomacy victim in Uzbekistan).

Impact

• Data Exfiltration
• Theft of Sensitive Information

Indicators of Compromise

IP

• 45[.]77[.]215[.]53
• 152[.]32[.]180[.]34
• 23[.]106[.]140[.]207
• 23[.]228[.]203[.]130

MD5

• e34333634b7208b000027be99612142d
• c93a8da9662e7a33a42f49fe5aca51fe
• cc2736b1572c211d3fae685156a41332

SHA-256

• ea2a01cae57c00df01bff6bb8a72585fdc0abb7a26a869dc1a0131bdff50b400
• 063065bca918d8d3a1dedcb6a42757c4dc1a05291fefc8f88068b3e03162e129
• 22c73bd49d95d78ec71e96d235ebc19bdf39a5c1901855f565a958ef19c2964a

SHA1

• 3C0DB3A5194E1568E8E2164149F30763B7F3043D
• 32EF3F67E06C43C18E34FB56E6E62A6534D1D694
• CDD583BB6333644472733617B6DCEE2681238A11

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.