Skip to content

G0142 Confucius

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.123

Item Value
ID G0142
Associated Names
Version 1.0
Created 26 December 2021
Last Modified 30 June 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.006 Web Services Confucius has obtained cloud storage service accounts to host stolen data.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Confucius has used HTTP for C2 communications.3
enterprise T1119 Automated Collection Confucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Confucius has dropped malicious files into the startup folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup on a compromised host in order to maintain persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Confucius has used PowerShell to execute malicious files and payloads.2
enterprise T1059.005 Visual Basic Confucius has used VBScript to execute malicious code.1
enterprise T1041 Exfiltration Over C2 Channel Confucius has exfiltrated stolen files to its C2 server.2
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Confucius has exfiltrated victim data to cloud storage service accounts.1
enterprise T1203 Exploitation for Client Execution Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802.31
enterprise T1083 File and Directory Discovery Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.2
enterprise T1105 Ingress Tool Transfer Confucius has downloaded additional files and payloads onto a compromised host following initial access.32
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Confucius has crafted and sent victims malicious attachments to gain initial access.3
enterprise T1566.002 Spearphishing Link Confucius has sent malicious links to victims through email campaigns.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Confucius has created scheduled tasks to maintain persistence on a compromised host.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Confucius has used mshta.exe to execute malicious VBScript.1
enterprise T1082 System Information Discovery Confucius has used a file stealer that can examine system drives, including those other than the C drive.2
enterprise T1221 Template Injection Confucius has used a weaponized Microsoft Word document with an embedded RTF exploit.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Confucius has lured victims into clicking on a malicious link sent through spearphishing.2
enterprise T1204.002 Malicious File Confucius has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics.3

Software

ID Name References Techniques
S0670 WarzoneRAT 43 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Component Object Model Hijacking:Event Triggered Execution Exfiltration Over C2 Channel File and Directory Discovery Hide Artifacts Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Spearphishing Attachment:Phishing Process Discovery Process Injection Proxy VNC:Remote Services Remote Desktop Protocol:Remote Services Rootkit System Information Discovery Template Injection Malicious File:User Execution Video Capture

References

  1. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group’s Cyberespionage Operations. Retrieved December 26, 2021. 

  2. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  3. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. 

  4. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.