Iranian government agencies hit by advanced backdoor

2 months ago · 0 comments

Attackers from BackdoorDiplomacy again reminded of themselves.

The hacker group BackdoorDiplomacy, first mentioned in 2021, was seen in a new wave of attacks on Iranian government institutions between July and the end of December 2022.

Specialists from Unit 42 of Palo Alto Networks gave the group its own name "Playful Taurus" (from the English "playful calf"). They said they observed attempts by Iranian government domains to connect to the malware infrastructure associated with the attackers.

More recently, hackers have been seen attacking an unnamed telecommunications company in the Middle East. They took advantage of the Quarian malware (the forerunner of Turian), which provides remote access to targeted networks.

Turian “remains under active development and we estimate it is being used exclusively by Playful Taurus hackers,” Unit 42 said in a report. -administrative server (C2) assigned to this group.

“The daily nature of infrastructure connections suggests that these networks are likely to be compromised,” the report said.

New versions of the Turian backdoor contain additional obfuscation as well as an updated decryption algorithm used to extract C2 servers. However, the malware itself is versatile in that it offers basic functionality for connecting, executing commands, and launching reverse shells.

BackdoorDiplomacy's interest in Iran is said to have geopolitical implications. After all, all these attacks are taking place against the backdrop of an agreement signed between China and Iran to develop economic, military and security cooperation.

“Playful Taurus continues to develop its tactics and tools. Recent updates to the Turian backdoor and new C2 infrastructure suggest that the group continues to be successful in its cyber-espionage campaigns,” Unit 42 researchers say.