![]() Several victims were compromised via mechanisms that closely matched the Rehashed Rat and a MirageFox-APT15 campaign documented by Fortinet in 2017 and Intezer in 2018, respectively. ![]() We believe this group is also linked with a group Kaspersky referred to as “ CloudComputating” that was also analyzed by Sophos. Specific observations regarding the Turian-Quarian connection are recorded below in the Turian section. ![]() Most obvious among them is the connection between the Turian backdoor and the Quarian backdoor. Links with known groupsīackdoorDiplomacy shares commonalities with several other Asian groups. Finally, both Windows and Linux operating systems have been targeted. In several instances, the group has been observed targeting removable media for data collection and exfiltration. Interactive access is achieved in two ways: (1) via a custom backdoor we are calling Turian that is derived from the Quarian backdoor and (2) in fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed. Once on a system, its operators make use of open-source tools for scanning the environment and lateral movement. For initial infection vectors, the group favors exploiting vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment. ESET researchers discover a new campaign that evolved from the Quarian backdoor Executive summaryĪn APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.
0 Comments
Leave a Reply. |