ESET, a global industry-leading IT security software and service provider has uncovered a new malware variant called Turian that is being spread by the Advanced Persistent Threat Group BackdoorDiplomacy that primarily targets Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East.
The investigation and findings reveal that the BackdoorDiplomacy group is executing a cross-platform attack approach that targets both Windows and Linux systems. The attacks usually start by exploiting vulnerable internet-exposed applications on webservers in order to install a custom backdoor that ESET has christened Turian. Furthermore, the group can detect removable media, most likely USB flash drives, and copy their contents to the main drive’s recycle bin.
The attacks targeted data collection executables and are designed to look for removable media (most likely USB flash drives). The implant routinely scans for such drives and, upon detecting insertion of removable media, attempts to copy all the files on them to a password-protected archive. It is capable of stealing the system information, taking screenshots, and writing, moving, or deleting files.
Speaking on the sidelines of the ESET World Conference where the investigation report was tabled, Ken Kimani ESET Channel Manager East Africa said that the “by definition, an advanced persistent threat is an attack by an unauthorized user who gains access to a system or network and remains there for an extended period of time without being detected giving them have continued access to sensitive data that they seek to steal“. He added that the “the group is targeting servers with internet-exposed ports and likely exploiting poorly enforced file-upload security or unpatched vulnerabilities which leave missions and organizations exposed leading to loss of sensitive data”.
The BackdoorDiplomacy Group shares tactics, techniques, and procedures with other Asia-based groups such as the Gelsemium Cyberespionage Group and Calypso who are all Asia-based groups. The Turian malware represents a next stage evolution of Quarian which was the backdoor attack last observed in use in 2013 against diplomatic targets in Syria and the United States. The Turian’s network encryption protocol is nearly identical to the network encryption protocol used by Whitebird another backdoor attack deployed within diplomatic organizations in Kazakhstan and Kyrgyzstan during the same timeframe as BackdoorDiplomacy (2017-2020).
The victims of BackdoorDiplomacy have been discovered in the Ministries of Foreign Affairs of several African countries, as well as in Europe, the Middle East, and Asia. Additional targets include telecommunications companies in Africa, and at least one Middle Eastern charity. In each case, operators employed similar tactics, techniques, and procedures (TTPs), but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult.
For more technical details about BackdoorDiplomacy, read the blogpost “BackdoorDiplomacy: Upgrading from Quarian to Turian” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.