iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Chinese hacking group Playful Taurus updated its Turian backdoor, alongside adding new command and control nodes to its infrastructure.
Playful Taurus — which also operates under the names BackdoorDiplomacy, APT15, KeChang, Vixen Panda, and NICKEL — has been operating since 2010, and largely targets government sites and institutions. It has been seen to operate in Africa, the Middle East, and both Americas.
Most recently, Unit 42 researchers at Palo Alto Networks have found that the group is actively developing Turian and is employing the latest versions of the backdoor to a number of Iranian government networks.
Playful Taurus uses infrastructure based around an X.509 certificate that was once legitimately associated with Senegal’s Ministry of Foreign affairs. That certificate expired in April 2021 and has been seen as a part of IP addresses and infrastructure associated with the group as recently as 2022.
Unit 42 has found eight out of nine IP addresses associated with the certificate to have hosted Playful Taurus domains, and that four Iranian government departments were making connections with them. Since those connection attempts are regular and being made on a daily basis, Unit 42 believes the following Iranian organisations have been compromised:
A fourth, unidentified Iranian organisation is also attempting to make contact with Playful Taurus IPs.
Further investigations revealed more IP addresses linked to more out-of-date certificates and more C2 nodes operated by Playful Taurus.
One domain was www[.]delldrivers[.]in, which in turn yielded a sample of the deluxe malware, among others. Analysis of all of the samples suggests these are new variants of each.
“Key differences between our samples and the previously documented Turian samples indicated that we were likely looking at a newer version, with some additional obfuscation and a modified network protocol,” Unit 42 said in a blog post.
What this all adds up to is a threat actor constantly attempting to improve its tools and techniques, and Iran in particular is the current target of choice.
“At the same time,” Unit 42 noted, “we would also caution that Playful Taurus routinely deploys the same tactics and techniques against other government and diplomatic entities across North and South America, Africa and the Middle East.”
Turian and its fellow malware tool Quarian are both named for races from the popular Mass Effect series of video games.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
