Friend
Professional
- Messages
- 2,659
- Reaction score
- 867
- Points
- 113
How Confucius exploits vulnerabilities to steal information.
In recent years, an APT group called Confucius has been actively conducting attacks targeting governments and military organizations in South and East Asia. Recently, it became known about a new campaign by this group, which was revealed during regular cyber threat monitoring operations.
The Confucius group started its operations back in 2013, and their attacks involve the use of various malicious tools, such as commercial trojans and open-source programs for remote control. In one recent case, the attackers were found to be spreading malware using LNK files presented as documents, such as the "Safe Internet Guide" issued by the Pakistan Telecommunications Authority.
The attack begins with a ZIP archive containing an LNK file, which, once opened, will run a VBS script. This script checks for antivirus software and sets a hidden task to run malicious software every five minutes. As a result, sensitive data is stolen on the victim's device and transmitted to the server, including files of various formats, such as text documents, images, and presentations.
This attack is characterized by multi-stage downloading and execution of malware. The loading mechanism used was River Stealer, a data-stealing program that was discovered as part of this campaign. Malware not only collects files with specific extensions, but it also transmits host data, such as computer name and username, to remote servers.
In addition to using the described malware, the Confucius group also used a number of other social engineering techniques. The attackers use enticing files related to various topics, such as religion, politics, energy, and telecommunications. These can be, for example, false documents related to government reports or religious research.
Despite the fact that this campaign is aimed primarily at foreign organizations, users are advised to exercise caution when dealing with files from unknown sources and apply protective measures such as regularly updating antivirus software and backing up data.
Source
In recent years, an APT group called Confucius has been actively conducting attacks targeting governments and military organizations in South and East Asia. Recently, it became known about a new campaign by this group, which was revealed during regular cyber threat monitoring operations.
The Confucius group started its operations back in 2013, and their attacks involve the use of various malicious tools, such as commercial trojans and open-source programs for remote control. In one recent case, the attackers were found to be spreading malware using LNK files presented as documents, such as the "Safe Internet Guide" issued by the Pakistan Telecommunications Authority.
The attack begins with a ZIP archive containing an LNK file, which, once opened, will run a VBS script. This script checks for antivirus software and sets a hidden task to run malicious software every five minutes. As a result, sensitive data is stolen on the victim's device and transmitted to the server, including files of various formats, such as text documents, images, and presentations.
This attack is characterized by multi-stage downloading and execution of malware. The loading mechanism used was River Stealer, a data-stealing program that was discovered as part of this campaign. Malware not only collects files with specific extensions, but it also transmits host data, such as computer name and username, to remote servers.
In addition to using the described malware, the Confucius group also used a number of other social engineering techniques. The attackers use enticing files related to various topics, such as religion, politics, energy, and telecommunications. These can be, for example, false documents related to government reports or religious research.
Despite the fact that this campaign is aimed primarily at foreign organizations, users are advised to exercise caution when dealing with files from unknown sources and apply protective measures such as regularly updating antivirus software and backing up data.
Source
