Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. BackdoorDiplomacy

BackdoorDiplomacy

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017.BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.[1]

ID: G0135
Contributors: Zaw Min Htun, @Z3TAE
Version: 1.0
Created: 21 September 2021
Last Modified: 25 April 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1074.001Data Staged:Local Data Staging

BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.[1]

EnterpriseT1190Exploit Public-Facing Application

BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor.BackdoorDiplomacy has also exploited mis-configured Plesk servers.[1]

EnterpriseT1574.001Hijack Execution Flow:DLL

BackdoorDiplomacy has executed DLL search order hijacking.[1]

EnterpriseT1105Ingress Tool Transfer

BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[1]

EnterpriseT1036.004Masquerading:Masquerade Task or Service

BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.[1]

.005Masquerading:Match Legitimate Resource Name or Location

BackdoorDiplomacy has dropped implants in folders named for legitimate software.[1]

EnterpriseT1046Network Service Discovery

BackdoorDiplomacy has used SMBTouch, a vulnerability scanner, to determine whether a target is vulnerable to EternalBlue malware.[1]

EnterpriseT1095Non-Application Layer Protocol

BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.[1]

EnterpriseT1027Obfuscated Files or Information

BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.[1]

EnterpriseT1588.001Obtain Capabilities:Malware

BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.[1]

.002Obtain Capabilities:Tool

BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.[1]

EnterpriseT1120Peripheral Device Discovery

BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.[1]

EnterpriseT1055.001Process Injection:Dynamic-link Library Injection

BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.[1]

EnterpriseT1505.003Server Software Component:Web Shell

BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.[1]

EnterpriseT1049System Network Connections Discovery

BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports.[1]

Software

IDNameReferencesTechniques
S0020China Chopper[1]Application Layer Protocol:Web Protocols,Brute Force:Password Guessing,Command and Scripting Interpreter:Windows Command Shell,Data from Local System,File and Directory Discovery,Indicator Removal:Timestomp,Ingress Tool Transfer,Network Service Discovery,Obfuscated Files or Information:Software Packing,Server Software Component:Web Shell
S0002Mimikatz[1]Access Token Manipulation:SID-History Injection,Account Manipulation,Boot or Logon Autostart Execution:Security Support Provider,Credentials from Password Stores,Credentials from Password Stores:Credentials from Web Browsers,Credentials from Password Stores:Windows Credential Manager,OS Credential Dumping:DCSync,OS Credential Dumping:Security Account Manager,OS Credential Dumping:LSASS Memory,OS Credential Dumping:LSA Secrets,Rogue Domain Controller,Steal or Forge Authentication Certificates,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Use Alternate Authentication Material:Pass the Ticket
S0590NBTscan[1]Network Service Discovery,Network Sniffing,Remote System Discovery,System Network Configuration Discovery,System Owner/User Discovery
S0262QuasarRAT[1]Abuse Elevation Control Mechanism:Bypass User Account Control,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Windows Command Shell,Credentials from Password Stores:Credentials from Web Browsers,Credentials from Password Stores,Data from Local System,Encrypted Channel:Symmetric Cryptography,Hide Artifacts:Hidden Window,Hide Artifacts:Hidden Files and Directories,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Non-Application Layer Protocol,Non-Standard Port,Proxy,Remote Services:Remote Desktop Protocol,Scheduled Task/Job:Scheduled Task,Subvert Trust Controls:Code Signing,System Information Discovery,System Location Discovery,System Network Configuration Discovery,System Owner/User Discovery,Unsecured Credentials:Credentials In Files,Video Capture
S0647Turian[1]Application Layer Protocol:Web Protocols,Archive Collected Data:Archive via Utility,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:Unix Shell,Command and Scripting Interpreter:Python,Command and Scripting Interpreter:Windows Command Shell,Data Obfuscation:Junk Data,Data Staged:Local Data Staging,Deobfuscate/Decode Files or Information,File and Directory Discovery,Ingress Tool Transfer,Masquerading:Masquerade Task or Service,Obfuscated Files or Information,Peripheral Device Discovery,Screen Capture,System Information Discovery,System Network Configuration Discovery,System Owner/User Discovery

References

×
[8]ページ先頭
©2009-2026 Movatter.jp