Palo Alto Unit 42 researchers have discovered a new wave of attacks on Linux and Windows servers linked to the Chinese advanced persistent threat group APT15 and its Turian backdoor malware. The cyber espionage group — also known as Playful Taurus, BackdoorDiplomacy, Vixen Panda, KeChang and NICKEL — has been discovered targeting Iranian government organizations. In its Turian backdoor, the group has upgraded its Quarian backdoor with new variants and implemented a new command and control (C2) infrastructure.
The attacks compromise Linux and Windows webservers by deploying a web shell that performs recon and lateral movement, and then launches a dropper that installs the Turian backdoor.
Impact
APT15 has been active since at least 2010 and has historically targeted government and diplomatic entities across North and South America, Africa and the Middle East. Analysis of both the samples and connections to the malicious infrastructure suggests that several Iranian government networks have likely been compromised by the group.
DXC perspective
Turian backdoor targets Linux and Windows web servers with Internet-exposed ports through unpatched vulnerabilities. As part of proper security infrastructure hygiene, we recommend timely software patching and a practice of only opening required ports.
Threat hunting tips
The best defense is monitoring for C2 traffic and lateral movement.
IOCs
Infrastructure
152.32.181[.]16
158.247.222[.]6
vpnkerio[.]com
update.delldrivers[.]in
scm.oracleapps[.]org
update.adboeonline[.]net
mail.indiarailways[.]net
Playful Taurus Certificate SHA-1
cfd9884511f2b5171c00570da837c31094e2ec72
1cf1985aec3dd1f7040d8e9913d9286a52243aca
Turian Sample SHA-256
67c911510e257b341be77bc2a88cedc99ace2af852f7825d9710016619875e80
8549c5bafbfad6c7127f9954d0e954f9550d9730ec2e06d6918c050bf3cb19c3
5bb99755924ccb6882fc0bdedb07a482313daeaaa449272dc291566cd1208ed5
ad22f4731ab228a8b63510a3ab6c1de5760182a7fe9ff98a8e9919b0cf100c58
6828b5ec8111e69a0174ec14a2563df151559c3e9247ef55aeaaf8c11ef88bfa