Introduction
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia. ESET BackdoorDiplomacy Jun 2021
Activities and Tactics
Targeted Sectors: Government, Telecomms
Country of Origin: π¨π³ China
Suspected Victims: Libya, Namibia, Sudan, Albania, Croatia, Georgia, Poland, Iran, Qatar, Saudi Arabiaβ¦
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1027 Obfuscated Files or Information
- T1505.003 Web Shell
- T1190 Exploit Public-Facing Application
- T1588.002 Tool
- T1036.005 Match Legitimate Resource Name or Location
- T1055.001 Dynamic-link Library Injection
- T1105 Ingress Tool Transfer
- T1074.001 Local Data Staging
- T1046 Network Service Discovery
- T1049 System Network Connections Discovery
- T1120 Peripheral Device Discovery
- T1095 Non-Application Layer Protocol
- T1574.001 DLL
- T1588.001 Malware
- T1036.004 Masquerade Task or Service
ATT&CK technique IDs (denormalized)
- T1027
- T1036.004
- T1036.005
- T1046
- T1049
- T1055.001
- T1074.001
- T1095
- T1105
- T1120
- T1190
- T1505.003
- T1574.001
- T1588.001
- T1588.002
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- Quarian:
- Turian:
- Follina:
MITRE ATT&CK Software
- Turian (S0647) β malware
- China Chopper (S0020) β malware
- Mimikatz (S0002) β tool
- NBTscan (S0590) β tool
- QuasarRAT (S0262) β tool
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [2] ESET BackdoorDiplomacy Jun 2021 Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021