Heimdal
article featured image

Contents:

Between July and late December 2022, BackdoorDiplomacy has been associated with a new wave of attacks targeting Iranian government entities.

At least since 2010, the Chinese APT group has conducted cyberespionage campaigns against government and diplomatic entities across North America, South America, Africa, and the Middle East, often operating under the names APT15, KeChang, NICKEL, and Vixen Panda.

According to The Hacker News, ESET, a Slovakian cybersecurity firm, revealed in June 2021 how hackers used a custom implant called Turian to attack diplomatic entities and telecommunications companies in Africa and the Middle East.

Back in December 2021, 42 domains operated by the group in its attacks targeting 29 countries were seized. Additionally, the U.S., E.U. and NATO had officially blamed China for the widespread Microsoft Exchange attacks campaign that took place earlier that year.

In addition to obfuscation, the new versions of the Turian backdoor have a new decryption algorithm for extracting C2 servers. Although the malware is generic in nature, it offers basic functions such as updating the C2 server so it can be connected to, executed commands, and spawn reverse shells.

BackdoorDiplomacy’s interest in targeting Iran might have geopolitical extensions as it stands against the 25-year comprehensive cooperation agreement signed between China and Iran to foster economic, military, and security cooperation.

Palo Alto Networks Unit 42 tracked the activity under its constellation-themed name Playful Taurus. The researchers reported they observed the Iranian government domains attempting to connect to malware infrastructure previously associated with the adversary.

Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyberespionage campaigns.

Source

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE