HQ/EMEAFind out how we can help your business
A threat group called BackdoorDiplomacy is allegedly the culprit of the new surge of cyberattacks against Iranian government agencies between July and December last year.
Researchers have tracked its actions under the Playful Taurus since the actor has a pattern of targeting government domains to connect to malware infrastructure previously linked to BackdoorDiplomacy.
Based on reports, hackers’ intrusions against diplomatic firms and telecom providers in the Middle East and Africa started in June two years ago. The threat actors used a custom implant called Turian for their campaigns.
Microsoft also announced the confiscations of 42 domains owned by the group in its attacks that targeted 29 countries in December 2021. The company claimed that the group exploited unpatched systems to infect internet-facing web apps such as SharePoint and MS Exchange to reach their targets.
BackdoorDiplomacy was recently linked to an attack against a telecommunication company in the Middle East.
Recent investigations revealed that the BackdoorDiplomacy group was linked to a recent attack against a telecom firm in the Middle East using a payload called Quarian. The malware allowed its operators to gain remote access to the targeted networks.
Experts claimed that this malware is under development and used exclusively by the group. Furthermore, a separate researcher explained that the malware has new variants used in attacks against Iran.
In addition, the cybersecurity researchers noted that it spotted four different Iranian entities, including the Natural Resources Organization and Ministry of Foreign Affairs, contacting a command-and-control server linked to the BackdoorDiplomacy group.
These new malware versions offer additional obfuscation tactics and updated decryption algorithms utilised by the actors to obtain the command-and-control servers. However, the malware is a generic type of payload that provides essential functions to update the C2 server to run commands, connect, and release reverse shells.
Some experts believe that the BackdoorDiplomacy group’s interest in attacking Iranian entities is because of the geopolitical extensions since Iran has recently signed a 25-year comprehensive cooperation agreement with China.
