Confucius APT Is Exploiting the “Pegasus” Spyware Worries to Trick Pakistanis

  • Indian actor Confucius was spotted using “Pegasus” lures to trick Pakistanis into opening laced documents.
  • The spear-phishing email campaign uses addresses that are made to appear as if they belong to the Pakistan government.
  • The end result is an infection with a NET DLL info-stealer that grabs images and documents from the user’s folders.

The pro-India actor known as ‘Confucius’ has been noticed using lures relevant to the “Pegasus” Israeli spyware tool, spreading malicious documents through spear-phishing email campaigns. The actors' goal appears to be to compromise Pakistani people who are linked with ideas and groups thought to be of high risk for India's national security. As such, the spoofed origin used for distributing the emails is generally nationalistic, impersonating the Pakistani Armed Forces or even the government.

The relevant report comes from Trend Micro, who sampled quite a few emails distributed by the ‘Confucius’ APT from the following email addresses. All emails were sent via a Pakistan-based ExpressVPN server in order to not raise any alarms and achieve better distribution rates.

  • info@ispr.gov.pk
  • alert@ispr.gov.pk
  • latest_info@fbr.news
  • notice@fbr.news
  • alert@fbr.news
  • thenewsinernational@mailerservice.directory
Source: Trend Micro

The email content is something that would trigger the interest of the recipient, like, for example, the Pegasus spyware and how it can infect phones through click-less and totally stealthy attacks. If the victim clicks on the link hoping to read the document containing the details, they end up seeing a document that attempts to trick them into enabling content to let the malicious macros run loose on their system.

Source: Trend Micro

If the victim reaches this unfortunate step, a series of DLL files are decoded and loaded into memory, and eventually, a file-stealer is dropped onto the victim’s machine. That final payload is also a NET DLL, which is designed to steal a wide range of document and media files from the folders “Documents,” “Downloads,” “Desktop,” and “Pictures” of every user who has an account on the Windows system.

Everything is sent to the C2, currently on “pirnaram[.]xyz”. The exfiltration of the data isn’t done through PHP scripts but via FTP server instead, providing better stealthiness to the operation.

Source: Trend Micro

In February, the Lookout Threat Intelligence team discovered two new Android spyware samples that appeared to belong to ‘Confucius,’ namely the “Hornbill” and “SunBird”. These two were again spoofing popular Pakistani apps like the ‘Kashmir News’ and ‘Quran Majeed,’ aiming to steal information from the compromised smartphones. It is clear that the particular actor is insisting on the same targeting habits but constantly updates the scope and methods.

REVIEW OVERVIEW

Latest

Why Is Demon Slayer So Popular?

In August 2019, the world suddenly started talking about an anime series that had just released its nineteenth episode. Fast forward to...

F1 Live Stream 2022: How to Watch Formula 1 Without Cable

There's not much time until the 2022 Formula 1 World Championship gets underway - the first race is scheduled for late March,...

Disney+ Announces Basketball Series Inspired By Award-Winning Book The Crossover

Disney Plus announced a new basketball-themed drama series that is set to land on the streaming platform, drawing inspiration from the critically...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari