threat actor known as backdoor diplomacy is associated with a new wave of attacks targeting Iranian government entities from July to late December 2022.
Palo Alto Networks Unit 42.Tracks activity with constellation-themed names playful taurusobserved a government domain attempting to connect to malware infrastructure previously identified as associated with the adversary.
The Chinese APT group, also known as APT15, KeChang, NICKEL, and Vixen Panda, has a history of cyber espionage targeting government and diplomatic organizations in North America, South America, Africa, and the Middle East since at least 2010.
In June 2021, Slovak cybersecurity firm ESET used a custom implant called Turian to uncover intrusions staged by hacking crews into diplomatic and telecommunications companies in Africa and the Middle East.
Then, in December 2021, Microsoft announced it had seized 42 domains operated by the group in an attack targeting 29 countries, using exploits against unpatched systems to compromise Microsoft Exchange. and compromised Internet-facing web applications such as SharePoint.
The attackers were recently attributed to attacking an unnamed telecommunications company in the Middle East using Turian’s predecessor, Quarian, which allows remote access points to target networks.
In a report shared with The Hacker News, Unit 42 said, “We believe Turian continues to be in active development and is only being used by Playful Taurus actors,” noting that it has been used in attacks to identify Iran. added that it discovered a new variant of a backdoor
The cybersecurity firm also observed four different Iranian organizations, including the Ministry of Foreign Affairs and the Natural Resources Agency, reaching out to known command-and-control (C2) servers attributed to the group.
“These persistent daily connections to Playful Taurus-controlled infrastructure suggest that these networks may have been compromised,” it said.
The new version of the Turian backdoor features additional obfuscation and an updated decryption algorithm used to extract the C2 server. However, the malware itself is generic, providing basic functionality to update and connect to a C2 server, execute commands, and spawn a reverse shell.
Backdoor diplomacy’s interest in targeting Iran is against the backdrop of the 25-year comprehensive cooperation agreement signed between China and Iran to promote economic, military and security cooperation, thus making it a geopolitical concern. It is said that there is a scientific extension.
“Playful Taurus continues to evolve their tactics and tools,” the researchers said. “Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to be successful in their cyber espionage campaigns.”
