The Pivot East: UnsolicitedBooker Targets Central Asian Telecoms
In the constantly shifting landscape of global cyber espionage, adaptability is the weapon of choice for advanced persistent threats (APTs). Security analysts are sounding the alarm this week following reports that the threat activity cluster known as UnsolicitedBooker has significantly altered its targeting scope. Moving away from its previous focus on entities in Saudi Arabia, the group is now aggressively targeting telecommunications providers in Central Asia, specifically Kyrgyzstan and Tajikistan.
This strategic shift highlights the volatile nature of nation-state-aligned cyber operations, where political and regional dynamics can instantly redirect malicious traffic toward new critical infrastructure sectors.
The Arsenal: LuciDoor and MarsSnake
The latest campaigns observed by researchers involve the deployment of two distinct, sophisticated malware strains designed to maintain persistent access within compromised networks. These backdoors, codenamed LuciDoor and MarsSnake, represent the core of UnsolicitedBooker's post-exploitation phase.
While technical details are still emerging, the deployment of dual backdoors suggests a "belt-and-suspenders" approach to resilience. If one detection mechanism catches or quarantines one implant, the second remains active to ensure continued command and control (C2). For telecom operators—who hold the keys to vast amounts of sensitive communication data and possess the infrastructure to intercept traffic—such persistence is a nightmare scenario.
Deep Dive: Tactics, Techniques, and Procedures (TTPs)
Attack Vector and Initial Access
UnsolicitedBooker typically relies on initial access vectors that exploit external-facing services or leverage sophisticated social engineering. While specific CVEs for this specific campaign are not disclosed in the initial reports, groups targeting telecoms often look for:
- Unpatched VPN concentrators or gateways: Telecom infrastructure is sprawling and often relies on legacy systems with long patch cycles.
- Spear-phishing with IT-themed lures: Messages masquerading as software updates or billing alerts targeting network engineers.
The Backdoors: LuciDoor & MarsSnake
The introduction of these two payloads indicates a modular attack framework:
-
LuciDoor: Likely acts as a primary entry point or a lightweight beacon. This malware is designed to be stealthy, often utilizing process injection techniques (such as DLL injection or process hollowing) to hide within legitimate system processes like
svchost.exeorexplorer.exe. -
MarsSnake: This component appears more feature-rich. Named for its ability to slither through systems, MarsSnake likely provides secondary capabilities such as lateral movement tools, credential dumping (mimikatz integration), or data exfiltration protocols disguised as standard web traffic (HTTP/HTTPS tunneling).
The Strategic Shift
Why Central Asia? The shift from the Middle East to Central Asia suggests a change in intelligence requirements. Telecoms in Kyrgyzstan and Tajikistan are critical nodes in regional connectivity. Compromising these networks could facilitate surveillance of cross-border communications or positioning for supply chain attacks targeting other nations connected via these routes.
Threat Hunting and Detection
To defend against this specific threat, security teams must move beyond signature-based antivirus and look for behavioral anomalies. Below are specific queries and scripts to help identify potential compromises by LuciDoor or MarsSnake.
Sentinel / Defender KQL Queries
The following KQL query hunts for suspicious process creation patterns often associated with these backdoors, focusing on unusual parent-child relationships and network connections to non-standard ports.
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
// Look for common LOLbins spawning from unexpected parents
| where FileName in~ (SuspiciousProcesses)
| where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe", "svchost.exe", "cmd.exe", "powershell.exe")
// Exclude known signed software when possible, focusing on unsigned or suspicious locations
| where isnull(SignatureStatus) or SignatureStatus != "Valid"
// Check for network connections initiated by these processes
| join kind=inner (DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (443, 80, 8080)
| summarize arg_max(Timestamp, *) by DeviceId, ProcessId) on DeviceId, ProcessId
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName, FolderPath, RemoteUrl, RemoteIP
PowerShell Hunting Script
Administrators can use this PowerShell script to scan for common persistence mechanisms used by backdoors, such as unauthorized Run keys or suspicious Scheduled Tasks.
# Check for suspicious persistence in Registry Run Keys
$Paths = @(
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)
$SuspiciousNames = @("LuciDoor", "MarsSnake", "update", "config")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-Item $Path | Select-Object -ExpandProperty Property | ForEach-Object {
$PropValue = (Get-ItemProperty -Path "$Path" -Name $_).$_
foreach ($Sus in $SuspiciousNames) {
if ($_ -like "*$Sus*" -or $PropValue -like "*$Sus*") {
Write-Host "[ALERT] Suspicious Entry Found in $Path : Name=$_, Value=$PropValue" -ForegroundColor Red
}
}
}
}
}
# Check for hidden files in System32 (common hiding spot)
$Sys32Path = "$env:SystemRoot\System32"
Get-ChildItem -Path $Sys32Path -Force -ErrorAction SilentlyContinue |
Where-Object { $_.Mode -match "h" -and $_.Extension -eq ".exe" } |
Select-Object FullName, CreationTime, LastWriteTime
Mitigation Strategies
Detecting UnsolicitedBooker is only half the battle; removing them and preventing re-entry requires decisive action.
-
Network Segmentation: Telecom environments must enforce strict segmentation. OT (Operational Technology) and IT networks should be logically separated. Backdoors like MarsSnake rely on lateral movement; segmentation breaks the chain.
-
Credential Resetting: Assume that if a backdoor was present, credentials were harvested. Force a password reset for all privileged accounts, especially domain admins, and enforce MFA immediately.
-
Vulnerability Management: Prioritize patching external-facing gateways, VPN appliances, and mail servers. Threat actors often exploit known CVEs (CVE-202X-XXXX) that remain unpatched in complex legacy environments.
-
Egress Filtering: Implement strict firewall rules to limit outbound traffic. C2 traffic often looks like standard HTTPS, but if you restrict which internal IPs can reach the internet and to which specific external IPs, you can blunt the impact of the backdoor.
-
Endpoint Detection and Response (EDR): Ensure EDR agents are running on all critical servers, including those previously considered "low risk." Backdoors often hide in the shadows of neglected systems.
Conclusion
The shift of UnsolicitedBooker toward Central Asian telecoms serves as a stark reminder that cyber threats follow geopolitical currents. By deploying dual-threat backdoors like LuciDoor and MarsSnake, the group is ensuring they can stay embedded within these high-value targets for the long haul. Vigilance, powered by robust threat hunting and rapid incident response, remains the best defense against this evolving menace.
Related Resources
Security Arsenal Alert Triage Automation AlertMonitor Platform Book a SOC Assessment platform Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.