Chinese advanced persistent threat group BackdoorDiplomacy is believed to have compromised a telecommunications provider in the Middle East in a cyberespionage campaign since last August that involved the exploitation of Microsoft Exchange Server ProxyShell vulnerabilities, according to The Hacker News.
Bitdefender researchers reported that vulnerable binaries have been leveraged by attackers to achieve initial compromise followed by the utilization of legitimate and customized tools for reconnaissance, data harvesting, lateral movement, and detection bypass.
"File attributes of the malicious tools showed that the first tools deployed by the threat actors were the NPS proxy tool and IRAFAU backdoor. Starting in February 2022, the threat actors used another tool [the] Quarian backdoor, along with many other scanners and proxy/tunneling tools," said researchers.
BackdoorDiplomacy also used the Impersoni-fake-ator tool within the Putty and DebugView utilities, which was tasked to allow system metadata capturing and decrypted payload execution. Moreover, Quarian was also used to deploy AsyncRAT.