cyber attack

Confucius Group a new round of attacks

Introduction

Recently, the research team has monitored the “Mo Luoxiu” Group’s attacks against South Asian military enterprises . The Group uses the decoy document “China Cruise Missiles Capabilities-Implications for the Indian Army.docx”.

The Group “Mo Luoxiu” (also known as Confucius) is a long-term active Group for cyber espionage activities targeting China, Pakistan, Nepal and other regions, mainly targeting government agencies, military enterprises, and the nuclear energy industry .

After in-depth tracking, the content of the document is extracted from the orfonline site in India, which contains an English missile technology report, which is intended to target military enterprises. After the victim opens the document, it will trigger a in the office formula editor, and then download and execute the malware Warzone RAT to achieve long-term control of the host and steal sensitive information.

We compared the Group’s previous attack using hot topics from multiple dimensions such as technology. This attack still used the attack routine of military topic decoy documents + exploits + disguised Microsoft domain names + commercial Trojan horses .

The attack process is as follows:

clip_image001

Such malicious documents are mainly spread through phishing emails. After the user opens the malicious document, a seemingly normal related report is displayed. Behind it, malicious files will be downloaded from the hacker’s server through the of the office editor and executed in secret. The user is ultimately victimized. The computer was controlled by a hacker Group and the data was stolen. The actual content of the malicious word document is as follows:

clip_image002

In terms of the propagation method, the carrier of this attack is malicious documents with contents of hot current affairs. Compared with the previous several times of tracking, there is a certain similarity.

From the utilization method, the same remote template and office editor are used, and the address msoffice.user-assist.site of the request server is similar to the structure of the domain name used in the previous few times to disguise the connection of Microsoft or office. The domain name bypasses the black and white list restrictions.

clip_image003

The overall architecture and export functions of the malicious dll file released in the intermediate stage are consistent with the basic functions of the previously captured samples. The final remote control released is also the Warzone (Ave Maria) RAT used in previous attacks. Based on the similarities between the TTPs of this attack and the characteristics and details of the malicious files that landed and the IOC, we can determine that this is the latest attack by “Mo Luo Xia” (named Confucius by a foreign security vendor).

IOCs

45[.]84.204.148
45[.]147.231.232

msoffice[.]user-assist.site
syncronize[.]3utilities.com

http[:]//msoffice.user-assist.site/refresh/word
http[:]//msoffice.user-assist.site/update/content

9f54962d644966cfad560cb606aeade2
912141bb5b4020c2cc75a77c37928a3b
e13134c8411557ce9c9e58d57b855a62
915F528202B036DC5D660F44C187F121
6b906764a35508a7fd266cdd512e46b1
7707871515E16C8E8461CED7AF1CACDD
f44d327b2d8109f9b2b5cfcf7fdc725f37dee803
8c30786f4f2de4fb3d9ca8ad8a542a078d3e3ff7
6fd4d5523c008f62bda8212f048cb15098fcefe0
bcbf14769495126763ca3b73c486b38e0a87116a
2a943b5868de4facf52d4f4c1b63f83eacd882a2
b9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e
2f5fc653550b0b5d093427263b26892e3468e125686eb41206319c7060212c40
4500851dad1ac87165fc938fe5034983c10423f800bbc2661741f39e43ab8c8d
07277c9f33d0ae873c2be3742669594acc18c7aa93ecadb8b2ce9b870baceb2f
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c