Severity
High
Analysis Summary
The APT group has been active since 2017 and exploits targets in Africa, Asia, and the Middle East. The group exploits vulnerable internet-exposed devices such as management interfaces for networking equipment and web servers. The next step is to use open-source tools for scanning the environment and lateral movement.
Interactive access is achieved in two ways:
- In fewer instances, when more direct and interactive access is required, certain open-source remote access tools are deployed.
- Via a custom backdoor called Turian that is derived from the Quarian backdoor.
Both Windows and Linux operating systems have been targeted with this APT.
CloudComputing is another group that is linked to this APT group. BackdoorDiplomacy uses a network encryption method similar to a backdoor called “Backdoor.Whitebird.1.” by Dr.Web. This backdoor is used to target institutions in Kyrgyzstan and Kazakhstan (both neighbors of a BackdoorDiplomacy victim in Uzbekistan).
Impact
- Data Exfiltration
- Theft of Sensitive Information
Indicators of Compromise
IP
- 45[.]77[.]215[.]53
- 152[.]32[.]180[.]34
- 23[.]106[.]140[.]207
- 23[.]228[.]203[.]130
MD5
- e34333634b7208b000027be99612142d
- c93a8da9662e7a33a42f49fe5aca51fe
- cc2736b1572c211d3fae685156a41332
SHA-256
- ea2a01cae57c00df01bff6bb8a72585fdc0abb7a26a869dc1a0131bdff50b400
- 063065bca918d8d3a1dedcb6a42757c4dc1a05291fefc8f88068b3e03162e129
- 22c73bd49d95d78ec71e96d235ebc19bdf39a5c1901855f565a958ef19c2964a
SHA1
- 3C0DB3A5194E1568E8E2164149F30763B7F3043D
- 32EF3F67E06C43C18E34FB56E6E62A6534D1D694
- CDD583BB6333644472733617B6DCEE2681238A11
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.