Chinese APT Targets Iranian Government OrganizationsPlayful Taurus, Also Known as Vixen Panda, Is Using New Turian Backdoor Variant
Cybersecurity researchers say a Chinese advanced persistent threat group is responsible for targeting Iranian government organizations between July and December 2022.
Palo Alto Networks' Unit 42 says Playful Taurus has been active since at least 2010. Playful Taurus is a moniker given to the ATP group by its constellation-themed naming process. The group also goes by the names BackdoorDiplomacy, Vixen Panda, APT15, KeChang and Nickel.
Playful Taurus is known for using phishing techniques to target government and diplomatic entities across North and South America, Africa and the Middle East for cyberespionage.
The group recently updated its toolkit to include a new variant of the Turian backdoor and its command-and-control infrastructure.
While monitoring connections to the malicious infrastructure, researchers observed four Iranian organizations attempting to connect to an IP address controlled by the hackers -
18.104.22.168 - between July and late December 2022. The Iranian government organizations included the Ministry of Foreign Affairs and the Agricultural and Natural Resources Engineering Organization.
"The sustained daily nature of these connections to Playful Taurus-controlled infrastructure suggests a likely compromise of these networks. Moreover, these targets also fit historical targeting patterns by the group," the researchers say.
The latest Turian version is powered with additional obfuscation and a modified network protocol.
One of the major difference observed is the C2 decryption algorithm. In older samples, "the C2s were decrypted with an XOR against a hard-coded byte, such as 0xA9," researchers say. "The updated backdoor offers fairly generic functionality, from updating the C2 to communicate with, to executing commands and spawning reverse shells. The main differences with this compared to other variants of Turian are the command IDs. Previous IDs started at 0x01 and followed an order, the new IDs appear to be randomized."
The Chinese group's activities come against the backdrop of a 25-year cooperation accord signed in 2021 between the two countries, pledging economic, military and security cooperation as both countries face different levels of United States sanctions.
A U.S. federal court in Virginia in December 2021 paved the way for technology giant Microsoft to disrupt the activities of the China-based hacking group, known then as Nickel.
The U.S. District Court for the Eastern District of Virginia granted Microsoft's request to seize websites used by the hacking group to gather intelligence from government agencies, think tanks and human rights organizations in the United States and 28 other countries.
The order allowed the company's Digital Crimes Unit to cut off Nickel's access to its victims and prevent the websites from being used to execute attacks (see: Microsoft Gets Court Order to Disrupt Chinese Cyber Ops).
Microsoft, which has been tracking Nickel since 2016 and analyzing its activity since 2019, said the attacks use a variety of techniques to achieve one goal: insert hard-to-detect malware that facilitates intrusion, surveillance and data theft.
Nickel previously targeted organizations in both the private and public sectors, including diplomatic organizations and ministries of foreign affairs in North America, Central America, South America, the Caribbean, Europe and Africa.