An APT group is targeting diplomats across Africa and the Middle East dubbed BackdoorDiplomacy, operated since 2017 a cross platform attacking group has been linked to successful attacks against Ministries of Foreign Affairs in numerous African countries, the Middle East, Europe, and Asia alongside a smaller subset of telecommunications firms in Africa and at least one charity outfit in the Middle East.
A F5 bug CVE-2020-5902 was used to deploy a Linux backdoor, whereas, in another, BackdoorDiplomacy adopted Microsoft Exchange server bugs to deploy China Chopper, a webshell. This APT will strike on weak entry points persisted in the network
The threat actors will scan the device for the purposes of lateral movement; install a custom backdoor, and deploy a range of tools to conduct surveillance and data theft, taking screenshots and other file related activiities
Among the tools used is network tunnel software EarthWorm; Mimikatz, NetCat, and software developed by the US National Security Agency (NSA) and dumped by ShadowBrokers, such as EternalBlue, DoublePulsar, and EternalRocks.
BackdoorDiplomacy will scan for flash drives and will attempt to copy all files from them into a password-protected archive which is then whisked off to a C2C via the backdoor.
One one instance the network encryption protocol used by the APT is almost identical to that used by the Calypso group’s Whitebird backdoor, and this malware was deployed against diplomatic targets in Kazakhstan and Kyrgyzstan during 2017 – 2020.