Chinese hackers update Turian backdoor to access Iranian networks

Chinese hackers update Turian backdoor to access Iranian networks

Chinese hackers update Turian backdoor to access Iranian networks

Chinese hacking group Playful Taurus has updated its Turian backdoor and added new command and control nodes to its infrastructure.

Playful Taurus, which also operates under the names BackdoorDiplomacy, APT15, KeChang, Vixen Panda and NICKEL, has been operating since 2010 and primarily targets government sites and institutions. It has been seen operating in Africa, the Middle East and both Americas.

More recently, researchers at Palo Alto Networks Unit 42 discovered that the group is actively developing Turian and employing the latest versions of the backdoor for several Iranian government networks.

Playful Taurus uses an infrastructure based on an X.509 certificate that was once legitimately associated with the Ministry of Foreign Affairs of Senegal. That certificate expired in April 2021 and has been considered part of the IP addresses and infrastructure associated with the group as recently as 2022.

Unit 42 discovered that eight of the nine IP addresses associated with the certificate hosted Playful Taurus domains and that four Iranian government departments were establishing connections to them. Since these connection attempts are regular and occur daily, Unit 42 believes that the following Iranian organizations have been compromised:

  • Iranian government infrastructure
  • Ministry of Foreign Affairs of Iran Infrastructure
  • Iranian Natural Resources Organization

A fourth unnamed Iranian organization is also attempting to establish contact with the Playful Taurus IPs.

Additional investigation revealed more IP addresses linked to more outdated certificates and more C2 nodes operated by Playful Taurus.

One domain was www[.]dell drivers[.]in, which in turn yielded a sample of the fancy malware, among others. The analysis of all the samples suggests that they are new variants of each one.

“Key differences between our samples and previously documented Turian samples indicated that we were likely looking at a newer version, with some additional obfuscation and a modified network protocol.” Unit 42 said in a blog post..

All of this translates into a threatening actor constantly trying to improve its tools and techniques, and Iran in particular is the current target of choice.

“At the same time,” Unit 42 noted, “we also note that Playful Taurus routinely deploys the same tactics and techniques against other governments and diplomatic entities in North and South America, Africa, and the Middle East.”

Turian and its companion malware tool Quarian are named after races from the popular Mass Effect video game series.

Leave a Reply

Your email address will not be published. Required fields are marked *