Confucius Hackers Target Government and Military Entities Using WooperStealer Malware
The notorious Confucius hacking organization, first exposed by foreign security vendors in 2016, continues to pose a significant threat to government and military entities across South and East Asia.
With attack activities dating back to 2013, this group has recently escalated its operations, targeting critical domestic units and industries with advanced tactics.
Unveiling a Sophisticated Cyber Threat
According to the Report, The Knowsec 404 Advanced Threat Intelligence Team has uncovered a new weapon in Confucius’ arsenal a modular backdoor named “anondoor” paired with the infamous WooperStealer malware, signaling a dangerous evolution in their cyber warfare capabilities.
The latest attack vector begins with a seemingly innocuous LNK file, which triggers a script to download multiple components, including “python313.dll” (anondoor) and a legitimate Python executable renamed “BlueAle.exe.”
Once executed, BlueAle.exe loads anondoor, a componentized backdoor that marks a stark upgrade from the group’s earlier downloader Trojans.
From Simple Scripts to Modular Backdoors
Unlike previous samples where persistence was achieved through initial scripts, anondoor now handles persistence by embedding BlueAle.exe into a scheduled task named “SystemCheck,” ensuring long-term access to compromised systems.
This shift demonstrates a strategic move to evade detection by decentralizing malicious operations.
Furthermore, anondoor collects extensive system information ranging from host system version, local and public IP addresses, hostnames, to disk details and relays it to a remote server, crafting a unique UUID for the infected system using a custom hash algorithm based on firmware data, usernames, and hostnames.
The sophistication deepens with anondoor’s ability to download additional malicious components, notably WooperStealer, a known data-stealing malware deployed in the 2024 ADS attack.
Uniquely, WooperStealer lacks an embedded server address for data exfiltration; instead, it relies on parameters passed by anondoor during loading, complicating sandbox analysis and rendering current antivirus detection ineffective, with a detection rate of zero.
The communication with the command-and-control (C2) server is meticulously parameterized, using base64-encoded requests and custom delimiters to obscure the true nature of interactions.
Commands are parsed in a structured format involving module IDs and URLs for downloading backdoor components, while data splicing techniques further mask the C2 infrastructure.
This modular approach, coupled with C# DLL encapsulation and dynamic method invocation, showcases Confucius’ high technical iteration, making tracing and defense an uphill battle for security teams.
Their ability to hide real C2 servers behind layers of obfuscation ensures that even captured components yield little actionable intelligence.
The Confucius organization’s relentless attacks on neighboring countries, now fortified by modular backdoors like anondoor and payloads like WooperStealer, underline a growing cyber threat landscape.
Their continuous evolution from simple download-and-execute Trojans to complex, sandbox-evading mechanisms is a stark warning to governments and military bodies in the region to bolster their defenses against such insidious adversaries.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| HASH | abefd29c85d69f35f3cf8f5e6a2be76834416cc43d87d1f6643470b359ed4b1b |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
