Overview
Affected by many factors, Pakistan has long suffered from serious local terrorism threats. The country has also taken counter-terrorism as an important national security strategy. In the second half of 2022, the Pakistani security forces carried out many intelligence-based operations (IBO) in Baluchistan, Khyber and North Waziristan, and killed many terrorists.
Pakistan’s recent high-profile performance in counter-terrorism has attracted the attention of India. On November 30, 2022, NSFOCUS Security Labs spotted a cyber-attack against the armed forces in Multan, Pakistan. The attacker used the IBO action report in Lodhran District of Multan as bait to try to deliver a variant of the Trojan program to control the victim’s devices. After analysis, NSFOCUS Security Labs confirmed that the leader of the event was the Indian APT organization Confucius.
About Confucius
Confucius is an APT organization funded by India. It has been carrying out cyber-attacks since 2013, mainly targeting Pakistan, China and other neighboring countries of India. It has a strong interest in the military, government agencies, energy and other fields.
Confucius uses both the Windows and Android Trojan programs to spy on the target to steal intelligence. The attack tools include SubBird, CharSpy and Hornbill, which have strong development and penetration capabilities.
In this attack, Confucius followed its common bait construction mode and used a new variant of the known attack tool MessPrint.
Attack Process
In this cyber attack, Confucius attackers constructed a phishing document named “IBO_Lodhran. doc” and a phishing document named US_Dept_of_State_Fund_Allocations_for_Pakistan.doc”, targeting the security forces and diplomatic government departments of Pakistan respectively.
These phishing documents carry intelligence content with a certain degree of authenticity, induce the victim to start the editing function of the document through a pop-up message, and then implement an attack process of embedding a variant Trojan horse.
Figure 1 pop-up message in phishing documents
Figure 2 Phishing document content:IBO_Lodhran.doc
Figure 3 Phishing document content:US_Dept_of_State_Fund_Allocations_for_Pakistan.doc
The typical attack process in this event is shown in the figure below.
Figure 4 Typical attack process of this event
When the macro in the above phishing document is executed, the document releases a file named gist.txt to the specified directory and set a scheduled task that runs every 30 minutes to run the file regularly.
Figure 5 Scheduled tasks set by phishing documents
The gist.txt is a PowerShell trojan actually. It initiates a link first to a fixed path tcp://142.234.157[.] 195:8080 to test connectivity, and uploads the user name, computer name, mac address, system information and other contents of this machine as registration information; Then it downloads encrypted data from the fixed path http://microsoftonedriver[.] com: 8989/enc.txt and decrypts it as VERSION.dll and uses rundll32 to load and execute.
The VERSION.dll is the main Trojan program used by Confucius in this event, and the CnC it connected is tcp://info-updates.ddns[.]net:8080.
Trojan Analysis
The main Trojan program VERSION.dll is a variant of a known attack component used by Confucius. To facilitate follow-up tracking, NSFOCUS Security Labs named the attack component MessPrint.
Compared with previous versions, the MessPrint variant has changed greatly in terms of function and confrontation, and its main version number has also changed from 2.X.X to 3.1.0.
- Function
The main functions of the MessPrint variant this time are divided into three parts: operation log recording, victim host information uploading and command execution.
It created a log file name log.txt first in the directory C: \ProgramData. All prompt information in the subsequent stages would be recorded in the log file. We did not find this recording function in its previous versions, so we speculate that this variant is a test version directly used by Confucius in network attack activities.
Subsequently, the Trojan program collected various information about the victim’s host, summarized this information into a piece of encrypted data and sent it to its CnC. The information collected by the Trojan is shown in the following table.
Table 1 List of information collected by MessPrint Variant
The information above directly used the fixed symbol # $# * as the separator and the fixed symbol iqaz as the end sign.
The information above would be encrypted using the following encryption methods and then sent to CnC:
1. Byte-by-byte XOR 0x1D;
2. Base64 transcoding;
The subsequent communication between the variant and CnC follows the encryption methods above.
After sending the host information, the variant and CnC used the keywords “check_status”, “verified”, “hi”, and “order” for multiple rounds of confirmation, and finally entered the instruction execution mode. In the command execution part, the MessPrint Trojan can respond to the following commands and parameters issued by CnC to download files, run programs, and execute CMD commands.
Table 2 CnC instruction list
Through analysis, it is found that the MessPrint variant Trojan has made many changes in the functional part. On the one hand, it protects the CnC communication process through encryption, on the other hand, it greatly reduces functions like file stealing and rebound shell that exist in previous versions.
The changes above indicate that the positioning of the Trojan program has changed from full-function spyware to Stub-type backdoor Trojan, and the subsequent spying Trojan functions are separated into independent components through component splitting. This change is very common in the development of APT attack components in recent years. APT attackers can reduce the exposure risk of the overall framework through this refinement.
- Combat
In the MessPrint trojan program that appears this time, Confucius developers have added a lot of anti-analysis technology, which increases the difficulty of analyzing the trojan program.
The MessPrint Trojan mainly uses an exception-based control flow obfuscation technology. This obfuscation changes the ordinary linear flow into a try-throw-catch structure so that the two original linearly connected code segments are divided into try-and-catch blocks that are no longer adjacent. In this way, the C++ object is thrown at a specific location, so that the execution process needs to jump to the code that can be executed directly under the linear structure through VS C++ exception handling.
The following figure shows the basic logic of this exception-based control flow confusion:
Figure 6 Confusion ideas used by the MessPrint variant
This confusion method can be used for static analysis of some decompilation tools because most pseudocodes cannot restore the above exception-handling process normally.
In addition, Confucius developers also abused some common code obfuscation techniques in the MessPrint variant, such as stack expansion, junk code and meaningless code, which further hindered static analysis. Considering a large number of traces in the development, we speculate that Confucius developers want to use confusion to reduce the losses caused by exposure when they have to enable the development version of the Trojan program.
Conclusion
As a direct demonstration of the national armed forces in peacetime, a series of anti-terrorism operations recently held in Pakistan have made India very sensitive. The spotted APT attack also shows that India has begun to put cyber-attack forces into relevant reconnaissance activities.
In the analysis, we found that Confucius developers still remain active in component development, and on the other hand, it also confirmed the prevalence of splitting and framing of attack components by APT developers. The improving defense capabilities in the APT capture, analysis and disclosure process in recent years compel APT attackers to use the framework idea to rebuild the attack tool and control the use of components at all levels through the way of level-by-level delivery to reduce the risk of complete exposure.
IoC
- Phishing documents:
c75b8c150054b5ba27cf08c46e13354e
23537d81e9cd285b41185a0e4c3d37c1
- Encrypted PowerShell file:
ab34c3eb8635fc13e4a586cba3c7469d
- CnC of PowerShell:
142.234.157[.]195:8080
- Download address:
http [:]//microsoftonedriver [.]com:8989/enc.txt
- MessPrint variant program:
65d9b142924d4e74cb729166f41b16fa
- MessPrint variant CnC:
info-updatesddns[.]net:8080
About NSFOCUS Security Labs
NSFOCUS Security Labs (NSL) is an internationally-recognized cybersecurity research and threat response center at the forefront of vulnerability assessment, threat hunting and mitigation research.
