APT group known as Confucius has been carrying out attacks targeting governments and military organizations in Southern and East Asia over the past years. The group’s new campaign was recently discovered during routine cyberosis monitoring operations.
Starting in 2013, Confucius has been utilizing various malicious tools, including commercial trojans and open source programs for remote control. In a recent incident, attackers distributed malware through LNK files disguised as documents like a “guide to safe Internet” from the Pakistani telecommunications department.
The attack initiates with a ZIP archive containing an LNK file, which when opened triggers a VBS script. This script checks for antivirus software and sets up a hidden task to launch malicious software every five minutes. Consequently, victims’ devices have had confidential data stolen and sent to a remote server, including text documents, images, and presentations.
The attack features multi-stage loading and the execution of malicious software. River Stealer, a data theft program discovered in this campaign, was used as a boot mechanism. The malicious software not only gathers specific file types but also sends host data like computer and user names to remote servers.
Aside from deploying the mentioned malicious software, the Confucius group has utilized various social engineering methods. Attackers leverage enticing files on subjects like religion, politics, energy, and telecommunications, such as counterfeit government reports or religious studies.
Although primarily targeting foreign organizations, users are advised to exercise caution when handling files from unknown sources and implement protective measures like keeping antivirus software up to date and regularly backing up data.