Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Confucius
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Confucius
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Confucius

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)
ID: G0142
Associated Groups: 
Version: 1.1
Created: 26 Dec 2021
Last Modified: 16 Apr 2025

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1583 .006 Acquire Infrastructure: Web Services

Confucius has obtained cloud storage service accounts to host stolen data.(Citation: TrendMicro Confucius APT Feb 2018)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Confucius has used HTTP for C2 communications.(Citation: Uptycs Confucius APT Jan 2021)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Confucius has dropped malicious files into the startup folder `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup` on a compromised host in order to maintain persistence.(Citation: Uptycs Confucius APT Jan 2021)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Confucius has used PowerShell to execute malicious files and payloads.(Citation: TrendMicro Confucius APT Aug 2021)
.005 Command and Scripting Interpreter: Visual Basic

Confucius has used VBScript to execute malicious code.(Citation: TrendMicro Confucius APT Feb 2018)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Confucius has exfiltrated victim data to cloud storage service accounts.(Citation: TrendMicro Confucius APT Feb 2018)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Confucius has crafted and sent victims malicious attachments to gain initial access.(Citation: Uptycs Confucius APT Jan 2021)
.002 Phishing: Spearphishing Link

Confucius has sent malicious links to victims through email campaigns.(Citation: TrendMicro Confucius APT Aug 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Confucius has created scheduled tasks to maintain persistence on a compromised host.(Citation: TrendMicro Confucius APT Aug 2021)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Confucius has used mshta.exe to execute malicious VBScript.(Citation: TrendMicro Confucius APT Feb 2018)

Enterprise T1204 .001 User Execution: Malicious Link

Confucius has lured victims into clicking on a malicious link sent through spearphishing.(Citation: TrendMicro Confucius APT Aug 2021)
.002 User Execution: Malicious File

Confucius has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics.(Citation: Uptycs Confucius APT Jan 2021)

Software
ID Name References Techniques
S0670 WarzoneRAT (Citation: Ave Maria) (Citation: Check Point Warzone Feb 2020) (Citation: Uptycs Confucius APT Jan 2021) (Citation: Uptycs Warzone UAC Bypass November 2020) VNC, Keylogging, Rootkit, Bypass User Account Control, Hide Artifacts, Malicious File, Symmetric Cryptography, Spearphishing Attachment, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Credentials from Web Browsers, Video Capture, Proxy, File and Directory Discovery, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Disable or Modify Tools, Component Object Model Hijacking, Non-Application Layer Protocol, Hidden Window, Windows Command Shell, Template Injection, Ingress Tool Transfer, Remote Desktop Protocol

References

  1. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  2. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
  3. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  4. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.