CONFUCIUS is a new malware detected by Palo Alto Network researchers. It’s a backdoor that displays quite the creativity on the cybercriminals’ side. The researchers have analyzed two samples of the malware, taken from two separate cyber espionage campaigns.
In 2013, Rapid7 reported on a series of relatively amateur attacks against Pakistani targets. For a long time after the report was published, little changed in how the attackers operated. Although many of the attacks we see today from the group remain the same, we began observing a new backdoor, CONFUCIUS_A, being dropped by the attackers starting in early 2014.
Malware written by beginners or amateurs uses IP addresses hardcoded in its source code. Advanced threats employ dynamic domain name generation algorithm (DGA) to conceal the real IP addresses of the command and control server. The two CONFUCIUS samples displayed a completely different behavior – the malware used HTTP requests to legitimate websites, Yahoo and Quora. Both sites provide Q&A sections.
What’s the Difference between CONFUCIUS_A and CONFUCIUS_B?
The A variant was accessing a certain Quora or Yahoo page in search for two markers. Between them, there were 4 or more words. Researchers also found a lookup table in the source code, consisting of 255 words. The number is enough to cover the numbers between 1 and 255, the numbers employed for IPv4 address blocks.
The lookup table begins with the marker for the beginning and end of the useful content, and then contains 255 words, each of which corresponds to a number (for example prudent == 255). Using this lookup table in memory it can then derive the command and control address from the text between the markers, “fill plate clever road” becomes 91.210.107[.]104.
CONFUCIUS_B was observed to deploy a similar method, with the difference that words represented a digit from 0 to 9. The malware didn’t reconstruct the IPv4 four main blocks but instead was locating each IP address digit.
Both samples are deployed in cyber espionage campaigns. All companies that observed and analyzed CONFICUIS operations, such as Palo Alto Networks, believe that the operator is probably located in India.
Find more technical details in Palo Alto’s report.