Operation Diplomatic Specter is a Chinese state-aligned espionage campaign targeting governments in the Middle East, Africa and Asia since late 2022, employing rare backdoors and a bespoke toolset to exfiltrate emails and monitor geopolitical developments. The operation centers on the Specter family backdoors, Gh0st RAT variants, and targeted mailbox data collection, with persistence and cross-region reach extending beyond Asia. Hashtags: #OperationDiplomaticSpecter #TunnelSpecter #SweetSpecter #Gh0stRAT #ProxyLogon #ProxyShell #ExchangeServer
Keypoints
- The campaign has targeted governmental entities in the Middle East, Africa and Asia since late 2022, focusing on diplomatic missions, embassies, ministries, and high-ranking officials.
- Threat actors use two novel backdoors, TunnelSpecter and SweetSpecter, with roots in Gh0st RAT, employing DNS tunneling and encrypted C2 communications for stealthy access and data exfiltration.
- Attackers monitor geopolitical developments and exfiltrate information daily, including entire inbox archives from targeted mailboxes when conditions resemble current events.
- Initial access is achieved via Exchange server exploits (ProxyLogon and ProxyShell CVEs), underscoring the need to patch internet-facing assets.
- Persistence is maintained through techniques such as creating rogue user accounts and reinvoking access after disruptions.
- The operation shows strong ties to Chinese state interests, including infrastructure reuse, Mandarin-language artifacts, and use of China-based VPS for C2.
- Unit 42 links the activity to a single actor (TGR-STA-0043) and discusses broader attribution and tool lineage across related operations.
MITRE Techniques
- [T1190] Exploit Public-Facing Application β Exposed Exchange servers were compromised via ProxyLogon CVE-2021-26855 and ProxyShell CVE-2021-34473 for initial access. βexploits ProxyLogon CVE-2021-26855 and ProxyShell CVE-2021-34473 for initial access.β
- [T1213] Data from Information Repositories β The threat actor exfiltrated data from Exchange mailboxes, including complete inboxes in some cases. βentire archived inboxes belonging to particular diplomatic missions or individuals.β
- [T1136] Create Account β The threat actor created a rogue user on targeted systems and added it to the Administrators group to sustain access. βit created a rogue user that we found on that specific target β¦ added to the Administrators group.β
- [T1059.001] PowerShell β The campaign used PowerShell-based techniques, including a script to register a new network provider and exfiltrate emails. βPowerShell snap-in (PSSnapins) to steal emails through a script.β
- [T1218] Signed Binary Proxy Execution β Rundll32 usage to run a Gh0st RAT variant from a web shell. βthe web shell dropped under the SysWOW64 folder was executed using a renamed rundll32.exe process.β
- [T1071.004] DNS β DNS tunneling C2 communication used by TunnelSpecter for data exfiltration. βDNS tunneling C2 communication β¦ encrypting communication using a hard-coded Caesar cipher on top of hex encoding.β
- [T1003] Credential Dumping β Use of tools like Mimikatz and SAM key dumping during credential access. βMimikatz and dumping the Sam key.β
Indicators of Compromise
- [File Hash] TunnelSpecter Loader β 0e0b5c5c5d569e2ac8b70ace920c9f483f8d25aae7769583a721b202bcc0778f, 62dec3fd2cdbc1374ec102d027f09423aa2affe1fb40ca05bf742f249ad7eb51
- [File Hash] TunnelSpecter Decrypted payload β 22d556db39bde212e6dbaa154e9bcf57527e7f51fa2f8f7a60f6d7109b94048e
- [Mutex] blogs.bing.com
- [File Hash] SweetSpecter Loader β 0b980e7a5dd5df0d6f07aabd6e7e9fc2e3c9e156ef8c0a62a0e20cd23c333373, 8198c8b5eaf43b726594df62127bcb1a4e0e46cf5cb9fa170b8d4ac2a4dad179
- [File Hash] SweetSpecter Decrypted payload β 0f72e9eb5201b984d8926887694111ed09f28c87261df7aab663f5dc493e215f
- [File Hash] Gh0st RAT β d5a44380e4f7c1096b1dddb6366713aa8ecb76ef36f19079087fc76567588977
- [Domain] home.microsoft-ns1[.]com, cloud.microsoft-ns1[.]com, static.microsoft-ns1[.]com, api.microsoft-ns1[.]com, update.microsoft-ns1[.]com, labour.govu[.]ml, govm[.]tk
- [IP] 103.108.192[.]238, 103.149.90[.]235, 192.225.226[.]217, 194.14.217[.]34, 103.108.67[.]153
- [Certificate] SHA256 3d74df40e3d2730941ff64f275217ae6d46b20d7fbbd04123bc156daf8f6e85c
Read more: https://unit42.paloaltonetworks.com/operation-diplomatic-specter/