BackdoorDiplomacy
BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.[1] |
| .005 | 伪装: Match Legitimate Name or Location |
BackdoorDiplomacy has dropped implants in folders named for legitimate software.[1] |
||
| Enterprise | T1190 | 利用公开应用程序漏洞 |
BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.[1] |
|
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
BackdoorDiplomacy has executed DLL search order hijacking.[1] |
| Enterprise | T1120 | 外围设备发现 |
BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.[1] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.[1] |
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.[1] |
| Enterprise | T1027 | 混淆文件或信息 |
BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.[1] |
|
| Enterprise | T1046 | 网络服务发现 |
BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.[1] |
|
| Enterprise | T1588 | .001 | 获取能力: Malware |
BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.[1] |
| .002 | 获取能力: Tool |
BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[1] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.[1] |
| Enterprise | T1095 | 非应用层协议 |
BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.[1] |
|