Confucius
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .006 | Acquire Infrastructure: Web Services |
Confucius has obtained cloud storage service accounts to host stolen data.(Citation: TrendMicro Confucius APT Feb 2018) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Confucius has used HTTP for C2 communications.(Citation: Uptycs Confucius APT Jan 2021) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Confucius has dropped malicious files into the startup folder `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup` on a compromised host in order to maintain persistence.(Citation: Uptycs Confucius APT Jan 2021) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Confucius has used PowerShell to execute malicious files and payloads.(Citation: TrendMicro Confucius APT Aug 2021) |
.005 | Command and Scripting Interpreter: Visual Basic |
Confucius has used VBScript to execute malicious code.(Citation: TrendMicro Confucius APT Feb 2018) |
||
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Confucius has exfiltrated victim data to cloud storage service accounts.(Citation: TrendMicro Confucius APT Feb 2018) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Confucius has crafted and sent victims malicious attachments to gain initial access.(Citation: Uptycs Confucius APT Jan 2021) |
.002 | Phishing: Spearphishing Link |
Confucius has sent malicious links to victims through email campaigns.(Citation: TrendMicro Confucius APT Aug 2021) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Confucius has created scheduled tasks to maintain persistence on a compromised host.(Citation: TrendMicro Confucius APT Aug 2021) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Confucius has used mshta.exe to execute malicious VBScript.(Citation: TrendMicro Confucius APT Feb 2018) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Confucius has lured victims into clicking on a malicious link sent through spearphishing.(Citation: TrendMicro Confucius APT Aug 2021) |
.002 | User Execution: Malicious File |
Confucius has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics.(Citation: Uptycs Confucius APT Jan 2021) |
Software |
|||
ID | Name | References | Techniques |
---|---|---|---|
S0670 | WarzoneRAT | (Citation: Ave Maria) (Citation: Check Point Warzone Feb 2020) (Citation: Uptycs Confucius APT Jan 2021) (Citation: Uptycs Warzone UAC Bypass November 2020) | Process Discovery, Keylogging, Registry Run Keys / Startup Folder, Malicious File, Exfiltration Over C2 Channel, Credentials from Web Browsers, Bypass User Account Control, Data from Local System, Ingress Tool Transfer, System Information Discovery, Proxy, Symmetric Cryptography, Remote Desktop Protocol, Modify Registry, Disable or Modify Tools, Component Object Model Hijacking, Hide Artifacts, Spearphishing Attachment, Deobfuscate/Decode Files or Information, PowerShell, Native API, Video Capture, Hidden Window, Process Injection, Windows Command Shell, VNC, Template Injection, Non-Application Layer Protocol, File and Directory Discovery, Rootkit |
References
- Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
- Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
- Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.