BackdoorDiplomacy Hacker Group Works with the Quarian and Turian Backdoors

BackdoorDiplomacy is a cybercrime group, which has been utilizing a series of backdoors to infect Windows and Linux systems. The first backdoor Trojan they unleashed on the Internet is called Quarian, which was later updated and reworked to create the Turian Backdoor, the most recent threat abused by the BackdoorDiplomacy criminals. In their current campaign, the Turian backdoor was employed in attacks against diplomatic targets in Africa and the Middle East. While their attacks attracted a lot of attention recently, experts believe that the group's campaigns may date back to at least 2017.

Surprisingly, the criminals do not rely on spear-phishing emails to be their primary infection vector. Instead, they aim to exploit unpatched vulnerabilities and weaknesses in devices connected to the Internet. Once a system is compromised successfully, the attackers usually choose between these two approaches:

  • They deploy the Turian or Quarian backdoor.
  • They skip the backdoor and, instead install public remote access applications.

One of the surprising properties of BackdoorDiplomacy's campaigns is that they target not just Windows but Linux devices as well. The publicly available tools and vulnerabilities they abuse are Miikatz, EarthWorm, NetCat, and the collection of NSA exploits – DoublePulsar, EternalBlue, and EternalRocks.

The primary purpose of BackdoorDiplomacy's attacks seems to be data collection – apart from trying to fetch files and screenshots of the compromised device, their backdoor Trojans also attempt to collect data from removable storage devices.

BackdoorDiplomacy is one of the newly identified groups to target entities in Africa and the Middle East. While their implants and attack techniques overlap with those of other Advanced Persistent Threat (APT) groups, it is too early to say for sure whether they are a sub-group of one of the big names in the cybercrime field.