Chinese cyberespionage campaign in the Middle East.

Bitdefender has published a report describing a Chinese cyberespionage operation targeting telecom providers in the Middle East.

ProxyShell used for initial access.

The threat actor gained initial access by exploiting the ProxyShell vulnerability in Microsoft Exchange Server:

“The attack started with an email, but this was not a traditional phishing attack. The malicious payload was included as an attachment, and once this email was received and processed by the Exchange server, the vulnerability was exploited (without anyone clicking on the attachment or even seeing the email). The subject of the email and the attachment name suggests that a public proof of concept for ProxyShell exploit was used.”

After gaining access, the threat actor deployed multiple tools to establish persistence, move laterally, and escalate privileges. These included the Irafau and Quarian backdoors and the Pinkman Agent.

BackdoorDiplomacy suspected.

BackdoorDiplomacy is a China-linked APT that was discovered last year by researchers at ESET, who noted that the group primarily targets Ministries of Foreign Affairs in the Middle East and Africa, and less frequently, telecommunication companies. Bitdefender attributes this campaign to BackdoorDiplomacy based on the domains used for command-and-control:

“The attribution is based on infrastructure and TTPs common to the current operation and others known to the public. For instance, the already-known IP address 43.251.105[.]139 was used as C&C by a sample of Quarian variant built on 2022-04-11. The domains uc.ejalase[.]org and mci.ejalase.org pointed to IP addresses related to other domains used by the BackdoorDiplomacy in the past. One such domain we believe is support.vpnkerio[.]com as other subdomains of vpnkerio[.]com are connected to the mentioned threat actor.”