This archive report was first published on 15 June 2021.
June 15, 2021 - ESET, a leading global IT security software and service provider, has discovered a new malware variant called Turian, being spread by the Advanced Persistent Threat Group BackdoorDiplomacy. The group primarily targets Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East.
The investigation reveals that BackdoorDiplomacy executes a cross-platform attack approach, targeting both Windows and Linux systems. The attacks start by exploiting vulnerable internet-exposed applications on webservers to install a custom backdoor, dubbed Turian. The group can also detect removable media, such as USB flash drives, and copy their contents to the main drive's recycle bin.
The attacks are designed to collect data and look for removable media. The implant scans for such drives and, upon detection, attempts to copy all files to a password-protected archive. It can steal system information, take screenshots, and write, move, or delete files.
Ken Kimani, ESET Channel Manager East Africa, stated that an advanced persistent threat is an attack by an unauthorized user who gains access to a system or network and remains undetected for an extended period, giving them continued access to sensitive data. He added that the group targets servers with internet-exposed ports and likely exploits poorly enforced file-upload security or unpatched vulnerabilities, leaving missions and organizations exposed to data loss.
BackdoorDiplomacy shares tactics, techniques, and procedures with other Asia-based groups, such as the Gelsemium Cyberespionage Group and Calypso. The Turian malware represents a next-stage evolution of Quarian, which was last observed in use in 2013 against diplomatic targets in Syria and the United States. Turian's network encryption protocol is nearly identical to that used by Whitebird, another backdoor attack deployed within diplomatic organizations in Kazakhstan and Kyrgyzstan during the same timeframe as BackdoorDiplomacy (2017-2020).
The victims of BackdoorDiplomacy have been discovered in the Ministries of Foreign Affairs of several African countries, as well as in Europe, the Middle East, and Asia. Additional targets include telecommunications companies in Africa and at least one Middle Eastern charity. In each case, operators employed similar tactics, techniques, and procedures, but modified the tools used, even within close geographic regions, likely to make tracking the group more difficult.