Background
Between 2020 and 2021, we systematically disclosed a series of espionage activities of the Confucius group, including Operation Tipu[1] and Operation Angi[2]. After many years, the group's overall tactics, techniques, and procedures ( TTPs ) remain highly similar to those of the past. Through multi-source intelligence analysis and judgment , we believe that Confucius is an APT Group with outsourced nature, and its attacks are mostly initiated by local contractors or individuals. This type of outsourced cyber attack has several significant characteristics: low attack costs and relatively simple technical methods, but the attack targets often reflect the will of the state. It is worth noting that about 90% of the APT groups currently disclosed by the open source intelligence community have similar outsourcing attributes.
This article aims to highlight the source code and testing machine information of the Confucius group's weapons , enriching the open source intelligence community's reporting on the diversity of APT groups. Currently, the TianQing Liuhe engine already supports default blocking of low-level lnk decoys from the Confucius group :
Fishing Framework - "myproject"
The core logic is located in myproject.py and consists of Flask routing processing functions, which set different logic for different URLs:
If the URL requested to C2 is /attachment , the server will return a specific Trojan file.
If the requested URL is / uploadfile , a zip package containing a malicious Trojan will be returned.
The logic of /continue is related to the phishing framework and is explained as follows:
The target users are stored in a Mongo database, where Credentials: target user list ( usernameHash , username, userLoggedIn ) : HarvestedCredentials : stolen credentials (username, password, timestamp, attempt) . The database listens on the C2 port 127.0.0.1:27017 .
When the Confucius group launches the phishing framework, it usually listens to port 5000 of the C2 server .
Source code project
| - | - |
|---|---|
| Source code project name | Function |
| DeliveryBoy | Dropper, used to release the second-stage loader and persist |
| FileSplitterr | Split PE file into multiple parts for dynamic loading |
| MadBoy | Loader, loads payload from resource section and injects |
| win | CMD command executes the Trojan. |
DeliveryBoy
The dropper is used to release the second-stage loader to a specified location and persist it. It first loads its own resources, generates a random string, and merges the two resources with the random string.
Resource files are two-stage loaders MadBoy , he was split into two parts
Generate a second random string and concatenate the completed MadBoy Written in the C:\ProgramData directory, the file name is the generated random string
Will be released later MadBoy For persistence, create a DrivOneUpdat Planned tasks
Finally, delete itself through the CMD command.
FileSplitterr
This is a tool used by the attacker to split a file into multiple parts. It is inferred that the attacker used this tool to split MadBoy as a resource file for DeliveryBoy.
MadBoy
The loader is used to load the final payload in memory. First, it still loads and splices its own resource files.
Create a new process of its own, inject the payload into the new process and execute it.
Win
The final payload , CMD To execute the backdoor, first connect C2, where C2 is the intranet address used by the attacker for testing
Receive the C2 Instructions and create a new thread to execute
The method is to create a CMD process to execute the command
This type of CMD backdoor is often used as a plug-in by APT groups in South Asia . It is very similar to the remote command execution backdoor type 2 used by the CNC group in the article Operation sea elephant [3] released in the first half of this year, and may be its predecessor.
Testing machine and test samples
Appreciation of the weapon and tool names in the common directory of the test machine:
| - | - |
|---|---|
| file name | size |
| image.gif.lnk | 1.48 kB |
| lnkkk.txt | 893 B |
| Mock.lnk | 3.19 kB |
| new updates.zip | 1.04 MB |
| updates.zip | 28.44 MB |
| 2025.ps1 | 900 B |
| 360totalsecurity.pdf.exe | 40.40 kB |
| datas.pdf | 40.62 kB |
| hello.xlsm | 8.68 kB |
| hello1.xlsm | 18.42 kB |
| hello2.xlsm | 19.49 kB |
| OBS-Studio-30.2.3-Windows-Installer.exe | 139.80 MB |
| PDF-doc-256.ico | 6.37 kB |
| reshacker_setup.exe | 4.29 MB |
| python-3.13.2-amd64.exe | 28.60 MB |
| sample-1.pdf | 69.99 kB |
| sample-4.pdf | 40.62 kB |
| swisstransfer_2a81f96a-93fc-4364-bded-4291281dbdeb.zip | 17.60 kB |
| swisstransfer_32e9a422-4793-4ebf-b7be-58e8c8a30bb7.zip | 12.12 kB |
| tesj.zip | 50.61 kB |
| tester3.lnk.download | 3.65 kB |
| Visual_Studio_Code_V1.94.2.exe | 100.39 MB |
| wordico.ico | 67.65 kB |
| _Getintopc.com_ProPlus2016.en-US.iso | 1.88 GB |
| Proof of the legitimacy of the document (1).zip | 1.43 kB |
The Confucius group posted some payloads and decoys on a Swisstransfer cloud drive. They likely installed the OBS tool to record operations on a test machine, making the attack process controllable and traceable. However, the attackers themselves lacked awareness of secure software management and went so far as to download an Office image from an untrusted third-party website. Previously, the UTG-Q-001 group used Getintopc's cracked website to spread Trojans and enable lateral movement within the intranet.
The exit IP of the test machine is basically a Tor node:
| - | - |
|---|---|
| Tor node IP | |
| 78.142.18.219 | |
| 109.228.160.190 | |
| 195.47.238.176 | |
| 192.42.116.211 | |
| 192.42.116.212 |
Test samples
Hello.xlsm and testing.xlsm may be new baits that will be put into use. The macro content is as follows. It is obtained from GitHub and executed. Currently, the attacker has not uploaded the payload to the git repository.
Summarize
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support accurate detection of such attacks.
Reference Links
[1] https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf
[2] https://www.secrss.com/articles/31785
[3] https://ti.qianxin.com/blog/articles/operation-sea-elephant-the-dying-walrus-wandering-the-indian-ocean-cn/