Chinese hackers targeted Iranian government entities for months

Chinese advanced persistent threat actor, Playful Taurus, targeted several Iranian government entities between July and December 2022, according to a Palo Alto Networks report.

The Chinese threat actor also known as APT15, KeChang, NICKEL, BackdoorDiplomacy, and Vixen Panda, was observed attempting to connect government domains to malware infrastructure previously associated with the APT group, according to the report.

“Playful Taurus continues to evolve their tactics and their tooling. Recent upgrades to the Turian backdoor and new C2 infrastructure suggest that these actors continue to see success during their cyber espionage campaigns,” Palo Alto Networks said in a blog.

“Our analysis of the samples and connections to the malicious infrastructure suggest that Iranian government networks have likely to been compromised,” the cyber security firm added.

The firm has also cautioned that the threat actor has been deploying the same tactics and techniques against other government and diplomatic entities across North and South America, Africa and the Middle East.

Playful Taurus deployed new version of Turian malware

In the recent attacks against government entities in Iran, the researchers observed Playful Taurus was using a new version of the Turian malware and a new command and control (C2) infrastructure.

The new version of the threat actor’s backdoor has additional obfuscation and a modified network protocol, an updated decryption algorithm used to extract the C2 servers. The malware offers functions to update the C2 server to communicate with, execute commands and spawn reverse shells. 

The networks of four Iranian government organisations, including Iran’s Ministry of Foreign Affairs, have likely been compromised using the new version of the malware.

“We identified Iranian government infrastructure establishing connections with a known Playful Taurus command and control (C2) server,” Palo Alto Networks noted. “Pivoting on one of the Iranian government IPs, we then identified additional infrastructure hosting certificates that overlap with a second Playful Taurus C2 server."

Turian is the next stage evolution of Quarian, the backdoor last observed in use in 2013 against diplomatic targets in Syria and the United States by the threat actor. The use of Turian by Playful Taurus was first identified in June 2021 by ESET.

Several countries targeted over the years

Known to be active since 2010, the threat actor targets telecommunication companies and government diplomacies. Their initial attack vector focuses on exploiting vulnerable internet-exposed applications on web servers to drop and execute a Webshell.

Using the Webshell, Playful Taurus deploys open source software for information gathering. It uses the Dynamic-Link Library search order hijacking to install its backdoor, Turian. As a last step, the threat actor employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin, according to ESET researchers.

The threat actor uses similar tactics, techniques and procedures in its attacks but modified tools are used to avoid getting tracked. In 2012, Playful Taurus targeted the Syrian Ministry of Foreign Affairs, and the US Department of State in 2013.

In December 2021, Microsoft seized 42 domains in the US used by Playful Taurus for its attacks targeting 29 countries.