Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

BackdoorDiplomacy

BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. BackdoorDiplomacy has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)

ID: G0135

Associated Groups:

Version: 1.0

Created: 21 Sep 2021

Last Modified: 25 Apr 2025

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1074	.001	Data Staged: Local Data Staging	BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	BackdoorDiplomacy has executed DLL search order hijacking.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.(Citation: ESET BackdoorDiplomacy Jun 2021)
		.005	Masquerading: Match Legitimate Resource Name or Location	BackdoorDiplomacy has dropped implants in folders named for legitimate software.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise	T1588	.001	Obtain Capabilities: Malware	BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.(Citation: ESET BackdoorDiplomacy Jun 2021)
		.002	Obtain Capabilities: Tool	BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise	T1055	.001	Process Injection: Dynamic-link Library Injection	BackdoorDiplomacy has dropped legitimate software onto a compromised host and used it to execute malicious DLLs.(Citation: ESET BackdoorDiplomacy Jun 2021)
Enterprise	T1505	.003	Server Software Component: Web Shell	BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.(Citation: ESET BackdoorDiplomacy Jun 2021)

ID	Name	References	Techniques
Software
S0647	Turian	(Citation: ESET BackdoorDiplomacy Jun 2021)	Archive via Utility, Screen Capture, System Owner/User Discovery, Local Data Staging, Peripheral Device Discovery, System Information Discovery, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, File and Directory Discovery, Masquerade Task or Service, Registry Run Keys / Startup Folder, Unix Shell, Obfuscated Files or Information, Python, Windows Command Shell, Web Protocols, Ingress Tool Transfer, Junk Data
S0020	China Chopper	(Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: ESET BackdoorDiplomacy Jun 2021) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Rapid7 HAFNIUM Mar 2021)	Password Guessing, Data from Local System, Timestomp, Web Shell, File and Directory Discovery, Windows Command Shell, Software Packing, Web Protocols, Network Service Discovery, Ingress Tool Transfer
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: ESET BackdoorDiplomacy Jun 2021)	Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0590	NBTscan	(Citation: Debian nbtscan Nov 2019) (Citation: ESET BackdoorDiplomacy Jun 2021) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019)	System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0262	QuasarRAT	(Citation: ESET BackdoorDiplomacy Jun 2021) (Citation: GitHub QuasarRAT) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) (Citation: xRAT)	Scheduled Task, System Owner/User Discovery, Keylogging, Bypass User Account Control, Symmetric Cryptography, Code Signing, System Information Discovery, Data from Local System, Credentials from Password Stores, Modify Registry, Credentials from Web Browsers, Video Capture, System Network Configuration Discovery, Proxy, Credentials In Files, Registry Run Keys / Startup Folder, Non-Standard Port, Non-Application Layer Protocol, System Location Discovery, Hidden Window, Windows Command Shell, Ingress Tool Transfer, Remote Desktop Protocol, Hidden Files and Directories

References

Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

BackdoorDiplomacy

Associated Group Descriptions

Techniques Used

Software

References