Trellix Insights: BackdoorDiplomacy APT Targeted Windows and Linux with New Backdoor

Technical Articles ID: KB94913
Last Modified: 2022-09-07 09:12:34 Etc/GMT

Environment

IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by Trellix Insights technology. The content is intended for use by Trellix Insights users, but is provided for general knowledge to all customers. Contact us for more information about Trellix Insights.

Summary

Description of Campaign
The BackdoorDiplomacy APT group targeted entities in Africa and the Middle East. The actor exploited vulnerable Internet-facing servers to gain an initial foothold. Successful exploitation resulted in the Turian backdoor dropped on either Microsoft Windows or Linux systems. The malware gathered and exfiltrated system information, screenshots, and files from local drives and removable media.

Our Threat Research team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by ESET and shared publicly.

How to use this article:

If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
Review KB91836 - Countermeasures for entry vector threats.
Review KB87843 - Dynamic Application Containment rules and best practices.
Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check Trellix Insights for the latest IOCs.

Campaign IOC

Type	Value
SHA256	A8ACDA5DDFC25E09E77BB6DA87BFA157F204D38CF403E890D9608535C29870A0
SHA256	063065BCA918D8D3A1DEDCB6A42757C4DC1A05291FEFC8F88068B3E03162E129
SHA256	22C73BD49D95D78EC71E96D235EBC19BDF39A5C1901855F565A958EF19C2964A
SHA256	EA2A01CAE57C00DF01BFF6BB8A72585FDC0ABB7A26A869DC1A0131BDFF50B400
AS	20473
AS	132839
AS	40065
AS	46573
AS	25820
AS	135377
AS	40676
IP-DST	43.251.105.218
IP-DST	43.251.105.222
IP-DST	162.209.167.154
IP-DST	43.225.126.179
IP-DST	162.209.167.189
IP-DST	43.251.105.139
IP-DST	152.32.180.34
IP-DST	23.228.203.130
DOMAIN	bill.microsoftbuys.com
DOMAIN	dnsupdate.dns2.us
DOMAIN	www.intelupdate.dns1.us
DOMAIN	winupdate.ns02.us
DOMAIN	icta.worldmessg.com
DOMAIN	infoafrica.top
DOMAIN	szsz.pmdskm.top
DOMAIN	pmdskm.top
DOMAIN	www.freedns02.dns2.us
DOMAIN	web.vpnkerio.com
DOMAIN	officeupdates.cleansite.us
DOMAIN	dynsystem.imbbs.in
DOMAIN	officeupdate.ns01.us
DOMAIN	systeminfo.oicp.net
DOMAIN	systeminfo.myftp.name
DOMAIN	systeminfo.cleansite.info
DOMAIN	updateip.onmypc.net
DOMAIN	buffetfactory.oicp.io

Minimum Content Versions

Content Type	Version
V2 DAT (VirusScan Enterprise)	10025
V3 DAT (Endpoint Security)	4477

Detection Summary

IOC	Scanner	Detection
A8ACDA5DDFC25E09E77BB6DA87BFA157F204D38CF403E890D9608535C29870A0	AVEngine V2	LINUX/Agent.w
	AVEngine V3	LINUX/Agent.w
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
063065BCA918D8D3A1DEDCB6A42757C4DC1A05291FEFC8F88068B3E03162E129	AVEngine V2	ASP/Webshell.i
	AVEngine V3	ASP/Webshell.i
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
22C73BD49D95D78EC71E96D235EBC19BDF39A5C1901855F565A958EF19C2964A	AVEngine V2	LINUX/Agent.w
	AVEngine V3	LINUX/Agent.w
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

IOC	Scanner	Detection
EA2A01CAE57C00DF01BFF6BB8A72585FDC0ABB7A26A869DC1A0131BDFF50B400	AVEngine V2	ASP/webshell.au
	AVEngine V3	ASP/webshell.au
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

Aggressive set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

VirusScan Enterprise - Access Protection Rules:

Prevent creation of new executable files in the Windows folder

Host Intrusion Prevention:

Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application

Affected Products

Trellix insights

Knowledge Center

Trellix Insights: BackdoorDiplomacy APT Targeted Windows and Linux with New Backdoor

Environment

Summary

Affected Products

Title

Title

Knowledge Center

Trellix Insights: BackdoorDiplomacy APT Targeted Windows and Linux with New Backdoor

Environment

Summary

Affected Products

Choose your region

Title

Title