ioc[.]one - OSINT Cyber Threat Intelligence Database

BackdoorDiplomacy: Upgrading from Quarian to Turian | WeLiveSecurity

Tags

cmtmf-attack-pattern:	Exploit Public-Facing Application
country:	China Kazakhstan Kyrgyzstan Uzbekistan Syria United States Of America
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Direct Bypass User Account Control - T1548.002 Credentials - T1589.001 Data From Local System - T1533 Dll Search Order Hijacking - T1574.001 Domains - T1583.001 Domains - T1584.001 Exploit Public-Facing Application - T1377 Exploitation For Client Execution - T1658 Exploits - T1587.004 Exploits - T1588.005 File And Directory Discovery - T1420 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Use Alternate Authentication Material - T1550 Tool - T1588.002 Vulnerabilities - T1588.006 Bypass User Account Control - T1088 Connection Proxy - T1090 Data From Local System - T1005 Deobfuscate/Decode Files Or Information - T1140 Dll Search Order Hijacking - T1038 Exploit Public-Facing Application - T1190 Exploitation For Client Execution - T1203 File And Directory Discovery - T1083 Standard Non-Application Layer Protocol - T1095 Powershell - T1086 Registry Run Keys / Start Folder - T1060 Remote Access Tools - T1219 Screen Capture - T1113 Exploit Public-Facing Application Screen Capture

Show in Graph

Common Information

Type	Value
UUID	afacc439-ea83-4d11-9b3d-33bd960f6d59
Fingerprint	b51c9451a2b5c699
Analysis status	DONE
Considered CTI value	2
Text language
Published	June 10, 2021, 2 p.m.
Added to db	Sept. 11, 2022, 12:31 p.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	BackdoorDiplomacy: Upgrading from Quarian to Turian
Title	BackdoorDiplomacy: Upgrading from Quarian to Turian \| WeLiveSecurity
Detected Hints/Tags/Attributes	144/4/117

Source URLs

	Redirection	Url
Details	Source	https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

URL Provider

Details	Provider	Source level domain
Details	welivesecurity.com	www.welivesecurity.com

Attributes

Details	Type	#Events	Value
Details	Autonomous System Number	20	AS20473
Details	Autonomous System Number	2	AS132839
Details	Autonomous System Number	2	AS40065
Details	Autonomous System Number	1	AS46573
Details	Autonomous System Number	3	AS25820
Details	Autonomous System Number	1	AS135377
Details	Autonomous System Number	7	AS40676
Details	CVE	77	cve-2020-5902
Details	Domain	1	bill.microsoftbuys.com
Details	Domain	1	dnsupdate.dns2.us
Details	Domain	1	www.intelupdate.dns1.us
Details	Domain	1	winupdate.ns02.us
Details	Domain	1	icta.worldmessg.com
Details	Domain	1	infoafrica.top
Details	Domain	1	szsz.pmdskm.top
Details	Domain	1	pmdskm.top
Details	Domain	1	www.freedns02.dns2.us
Details	Domain	1	web.vpnkerio.com
Details	Domain	1	officeupdates.cleansite.us
Details	Domain	1	dynsystem.imbbs.in
Details	Domain	1	officeupdate.ns01.us
Details	Domain	1	systeminfo.oicp.net
Details	Domain	1	systeminfo.myftp.name
Details	Domain	1	systeminfo.cleansite.info
Details	Domain	1	updateip.onmypc.net
Details	Domain	1	buffetfactory.oicp.io
Details	Domain	1	expdns.net
Details	Domain	1	update.officenews365.com
Details	Domain	1	ezdnscenter.com
Details	Domain	4	changeip.org
Details	Domain	1	dnsupdate.dns1.us
Details	Domain	3	hichina.com
Details	Domain	8	domaincontrol.com
Details	Domain	1	exhera.com
Details	File	1	amsc.exe
Details	File	1	msvsvr.dll
Details	File	50	alg.exe
Details	File	2	scncfg.exe
Details	File	6	vsodscpl.dll
Details	File	1	credwize.exe
Details	File	3	new.dll
Details	File	2126	cmd.exe
Details	File	14	tmp.bat
Details	File	1	sharedaccess.ini
Details	File	22	%windir%\system32\cmd.exe
Details	File	1	%windir%\alg.exe
Details	File	14	logout.aspx
Details	File	1	current.aspx
Details	File	8	erroree.aspx
Details	File	1	app_web_xcg2dubs.dll
Details	File	1	vmsvc.exe
Details	File	1122	svchost.exe
Details	File	1	nvsvc.exe
Details	File	2	appleversions.dll
Details	File	2	mozillaupdate.exe
Details	File	1	nvsvcv.exe
Details	File	1	efsw.exe
Details	File	1	iexplore32.exe
Details	File	2	explorer32.exe
Details	File	33	duser.dll
Details	sha1	1	573c35ab1f243d6806dedbdd7e3265bc5cbd5b9a
Details	sha1	1	fcd8129ea56c8c406d1461ce9db3e02e616d2aa9
Details	sha1	1	3c0db3a5194e1568e8e2164149f30763b7f3043d
Details	sha1	1	32ef3f67e06c43c18e34fb56e6e62a6534d1d694
Details	sha1	1	8c4d2ed23958919fe10334ccfbe8d78cd0d991a8
Details	sha1	1	c0a3f78cf7f0b592ef813b15fc0f1d28d94c9604
Details	sha1	1	cdd583bb6333644472733617b6dcee2681238a11
Details	sha1	1	fa6c20f00f3c57643f312e84cc7e46a0c7babe75
Details	sha1	1	5f87fbfe30ca5d6347f4462d02685b6e1e90e464
Details	sha1	1	b6936bd6f36a48dd1460eeb4ab8473c7626142ac
Details	sha1	1	b16393dffb130304ad627e6872403c67dd4c0af3
Details	sha1	1	9dbbebebba20b1014830b9de4ec9331e66a159df
Details	sha1	1	564f1c32f2a2501c3c7b51a13a08969cdc3b0390
Details	sha1	1	6e1bb476ee964fff26a86e4966d7b82e7bacbf47
Details	sha1	1	fbb0a4f4c90b513c4e51f0d0903c525360faf3b7
Details	sha1	1	2183ae45adef97500a26dbbf69d910b82bfe721a
Details	sha1	1	849b970652678748cebf3c4d90f435ae1680601f
Details	sha1	1	c176f36a7fc273c9c98ea74a34b8bab0f490e19e
Details	sha1	1	626efb29b0c58461d831858825765c05e1098786
Details	sha1	1	40e73bf21e31ee99b910809b3b4715af017db061
Details	sha1	1	255f54de241a3d12debad2df47bac5601895e458
Details	sha1	1	a99cf07fba62a63a44c6d5ef6b780411cf1b1073
Details	sha1	1	934b3934fdb4cd55dc4ea1577f9a394e9d74d660
Details	sha1	1	ef4df176916ce5882f88059011072755e1ecc482
Details	IPv4	1	199.247.9.67
Details	IPv4	1	43.251.105.218
Details	IPv4	1	43.251.105.222
Details	IPv4	1	162.209.167.154
Details	IPv4	1	43.225.126.179
Details	IPv4	1	23.247.47.252
Details	IPv4	1	162.209.167.189
Details	IPv4	1	23.83.224.178
Details	IPv4	1	23.106.140.207
Details	IPv4	1	45.76.120.84
Details	IPv4	1	78.141.243.45
Details	IPv4	1	78.141.196.159
Details	IPv4	1	45.77.215.53
Details	IPv4	1	207.148.8.82
Details	IPv4	3	43.251.105.139
Details	IPv4	1	152.32.180.34
Details	IPv4	1	23.228.203.130
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	245	T1203
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	86	T1548.002
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	33	T1550
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	534	T1005
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	130	T1573.001
Details	MITRE ATT&CK Techniques	159	T1095
Details	Threat Actor Identifier - APT	85	APT15
Details	Windows Registry Key	1	HKEY_CURRENT_USER\sOFtWArE\MIcrOsOft\WindOwS\CurRentVeRsiOn\RuN
Details	Windows Registry Key	1	HKEY_LOCAL_MACHINE\sOFtWArE\MIcrOsOft\WindOwS\CurRentVeRsiOn\RuN