Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа BackdoorDiplomacy
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
BackdoorDiplomacy
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

BackdoorDiplomacy

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)
ID: G0135
Associated Groups: 
Version: 1.0
Created: 21 Sep 2021
Last Modified: 18 Oct 2021

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1074 .001 Data Staged: Local Data Staging

BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

BackdoorDiplomacy has executed DLL search order hijacking.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.(Citation: ESET BackdoorDiplomacy Jun 2021)
.005 Masquerading: Match Legitimate Name or Location

BackdoorDiplomacy has dropped implants in folders named for legitimate software.(Citation: ESET BackdoorDiplomacy Jun 2021)

Enterprise T1588 .001 Obtain Capabilities: Malware

BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.(Citation: ESET BackdoorDiplomacy Jun 2021)
.002 Obtain Capabilities: Tool

BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.(Citation: ESET BackdoorDiplomacy Jun 2021)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise T1505 .003 Server Software Component: Web Shell

BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.(Citation: ESET BackdoorDiplomacy Jun 2021)

Software
ID Name References Techniques
S0647 Turian (Citation: ESET BackdoorDiplomacy Jun 2021) Unix Shell, File and Directory Discovery, Obfuscated Files or Information, Screen Capture, System Owner/User Discovery, Registry Run Keys / Startup Folder, Archive via Utility, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, Python, Local Data Staging, Junk Data, Web Protocols, Ingress Tool Transfer, Windows Command Shell, System Information Discovery, Masquerade Task or Service, Peripheral Device Discovery
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: ESET BackdoorDiplomacy Jun 2021) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) Password Guessing, Data from Local System, Software Packing, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Network Service Discovery, Timestomp, Web Shell, File and Directory Discovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: ESET BackdoorDiplomacy Jun 2021) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: ESET BackdoorDiplomacy Jun 2021) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0262 QuasarRAT (Citation: ESET BackdoorDiplomacy Jun 2021) (Citation: GitHub QuasarRAT) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) (Citation: xRAT) Remote Desktop Protocol, Keylogging, Symmetric Cryptography, Credentials from Web Browsers, Registry Run Keys / Startup Folder, Hidden Window, System Information Discovery, Ingress Tool Transfer, System Location Discovery, Modify Registry, Hidden Files and Directories, System Owner/User Discovery, Bypass User Account Control, Data from Local System, Non-Application Layer Protocol, System Network Configuration Discovery, Credentials from Password Stores, Credentials In Files, Windows Command Shell, Proxy, Non-Standard Port, Code Signing, Scheduled Task, Video Capture

References

  1. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.