G0135 BackdoorDiplomacy

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.¹

Item	Value
ID	G0135
Associated Names
Version	1.0
Created	21 September 2021
Last Modified	18 October 2021
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1074	Data Staged	-
enterprise	T1074.001	Local Data Staging	BackdoorDiplomacy has copied files of interest to the main drive’s recycle bin.¹
enterprise	T1190	Exploit Public-Facing Application	BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.¹
enterprise	T1574	Hijack Execution Flow	-
enterprise	T1574.001	DLL Search Order Hijacking	BackdoorDiplomacy has executed DLL search order hijacking.¹
enterprise	T1105	Ingress Tool Transfer	BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.¹
enterprise	T1036	Masquerading	-
enterprise	T1036.004	Masquerade Task or Service	BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.¹
enterprise	T1036.005	Match Legitimate Name or Location	BackdoorDiplomacy has dropped implants in folders named for legitimate software.¹
enterprise	T1046	Network Service Discovery	BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.¹
enterprise	T1095	Non-Application Layer Protocol	BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.¹
enterprise	T1027	Obfuscated Files or Information	BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.¹
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.001	Malware	BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.¹
enterprise	T1588.002	Tool	BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.¹
enterprise	T1120	Peripheral Device Discovery	BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.¹
enterprise	T1055	Process Injection	-
enterprise	T1055.001	Dynamic-link Library Injection	BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.¹
enterprise	T1505	Server Software Component	-
enterprise	T1505.003	Web Shell	BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim’s system.¹
enterprise	T1049	System Network Connections Discovery	BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.¹

Software

ID	Name	References	Techniques
S0020	China Chopper	¹	Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0002	Mimikatz	¹	SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0590	NBTscan	¹	Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0262	QuasarRAT	¹	Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Symmetric Cryptography:Encrypted Channel Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Non-Standard Port Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Credentials In Files:Unsecured Credentials Video Capture
S0647	Turian	¹	Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Junk Data:Data Obfuscation Local Data Staging:Data Staged Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Masquerade Task or Service:Masquerading Obfuscated Files or Information Peripheral Device Discovery Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery

References

Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩