Confucius: Decoding the cyber espionage threat actor's new modus operandi targeting Pakistani victims

Since 2013, researchers have observed a series of amateur attacks by the Confucius hacking group targeting victims in South Asia, particularly Pakistani users. In earlier campaigns, the cyber espionage actors used fake romance websites as a lure to dupe victims into downloading malicious Android applications.

Trend Micro researchers have now reported a new shift towards a new modus operandi in which two new websites and payloads are used to target and spy on victims.

The first fraudulent website uses adult content as a lure and promotes an Android application named Fuddi Duniya. However, the malicious app can record audio, steal SMS, contacts, accounts and specific file types from certain directories. It can also retrieve the last known location of the device and use Google Firebase to upload the exfiltrated data.

Meanwhile, the second website is chat-based and claims it can help find users a partner. A link to the malicious Android app was briefly available on Google Play but has since been removed from the store after researchers notified Google. The fake app itself contains real chat features and comes with malicious .NET code.

The malware itself tries to contact the C2 server with the username encoded into parameters and then waits for a response from the operators regarding the download of the second stage payload.

"An interesting feature of the downloader: It uses an online service to retrieve the victim’s IP address and country, which it compares with a list of allowed countries. If the victim seemingly comes from a different country, the program will self-delete and quit," researchers note.

The countries include most South and South East Asian countries, most Middle Eastern countries, most African countries, just Ukraine in Europe and Trinidad and Tobago in the Americas.

Researchers have previously noted that Confucius shared similarities to other countries like Patchwork - both of which targeted South Asian victims and used a backdoor with the same configuration file structure and commands.

"Threat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving techniques that can render traditional security solutions — which are often not designed to handle the persistent and sophisticated threats detailed in this blog — ineffective," researchers said. "To help combat these kinds of threats organizations will need to take a more proactive and focused security posture that can cover the most ground in terms of security."