Uptycs Blog

Welcome! The Uptycs blog is for security professionals and osquery enthusiasts interested in exploring new ideas in cloud security. We hope you’ll enjoy our blog enough to subscribe and share.

Confucius APT deploys Warzone RAT

Research by Abhijit Mohanta and Ashwin Vamshi

Uptycs' threat research team published a piece about Warzone RAT and its advanced capabilities in November 2020. During the first week of January 2021, we discovered an ongoing targeted attack campaign related to Confucius APT, a threat actor / group primarily targeting government sectors in South Asia. This attack was identified by our in-house osquery-based sandbox that triggered a detection on Warzone RAT activity.

Based on our threat intelligence systems, we were able to confirm that the threat actor is trying to circumvent attacks with decoys that deliver the next stage payload via the template injection technique and a short C2 TTL (Time to Live).

Technical analysis

Our in-house sandbox, which uses Uptycs EDR for detection, detected a Warzone RAT payload in the attack kill chain of the decoy document “China Cruise Missiles Capabilities-Implications for the Indian Army.docx” (hash: b9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e).

This attack document was crafted by the attacker group to entice the victims or targets into opening a file related to the ongoing India China border tension.

Screenshot from the China Cruise Missiles Capabilities-Implications for the Indian Army.docx decoy

Figure 1: Screenshot from the "China Cruise Missiles Capabilities-Implications for the Indian Army.docx" decoy.

We believe the decoy lure must have been copied from this PDF, which contains a study by Kartik Bommakanti for the Observer Research Foundation (ORF).

Attack kill chain

The decoy lure was a 16-page document that would have skipped the eye of static heuristic engines because they generally scan suspicious files based on the number of pages (malicious documents are usually one page).

Upon execution, the document used template injection to download the next stage RTF exploit that downloaded the final stage Warzone payload using a DLL embedded in the RTF exploit. The attack kill chain of the different phases of the attack is detailed in figure 2, below.

Attack kill chain.

Figure 2: Attack kill chain of the different phases of the attack.

The various phases of the attack are as follows:

  • Victim opens the Word document
  • Document downloads template RTF
  • Exploit in RTF is triggered and bing.dll is dropped and executed
  • Bing.dll downloads Warzone RAT

Using the template injection technique, the next stage payload is downloaded via the word/_rels/settings.xml.rels file present in the document structure as shown in figure 3, below.

setting.xmls.rels containing link to template.

Figure 3: setting.xmls.rels containing link to template.

The downloaded template (hash: 2f5fc653550b0b5d093427263b26892e3468e125686eb41206319c7060212c40) is an RTF file containing exploit code for the old vulnerability “CVE-2018-0802” in the Microsoft equation editor (EQNEDT32.exe). This is evident from the CLSID present in the RTF file “7b0002CE02-0000-0000-C000-000000000046,” which is related to the equation editor. The RTF contains a DLL embedded in an OLE object as shown in figure 4, below.

DLL embedded in OLE.

Figure 4: DLL embedded in OLE.

The embedded DLL file, bing.dll (SHA-256: 07277c9f33d0ae873c2be3742669594acc18c7aa93ecadb8b2ce9b870baceb2f), which is executed upon successful exploitation, contains an export “mark” that is responsible for downloading the Warzone payload. Figure 5, below, shows the code that downloads the Warzone payload.

Downloader code in DLL.

Figure 5: Downloader code in DLL.

The Warzone payload is saved to the %ProgramData% folder as update.exe (SHA-256: 4500851dad1ac87165fc938fe5034983c10423f800bbc2661741f39e43ab8c8d) as shown in the above figure. In order to maintain persistence, an LNK file named update.lnk pointing to update.exe is dropped to startup folders - “%AppData%Microsoft\Windows\Start Menu\Programs\Startup”.

Warzone RAT was caught by Uptycs in November. It has capabilities to log keystrokes, steal passwords, capture the webcam, and it has the ability to bypass UAC on Windows 10. You can read more details about Warzone RAT in our blog post.

Similar themed attacks delivering Warzone RAT

We identified three similar DLL files in our threat intelligence systems with the same imphash: 58f8f4bdb6d7059247f4fe90a8ba9477. Using this data, we identified three more decoy documents most likely used for different targets using these DLL files as the next stage payloads.

The first decoy document was observed in October 2020.

  • File name: Testing.docx
  • Hash: a3cd781b14d75de94e5263ce37a572cdf5fe5013ec85ff8daeee3783ff95b073
  • RTF hash: 686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424
  • DLL hash: 1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126
  • PDB path: C:\Users\admin\Documents\dll\linknew\Release\linknew.pdb
  • C2: recent[.]wordupdate[.]com

The decoy’s subject focused on China preparing for war in the Taiwan Strait—a topic sure to attract attention

China preparing for war in the Taiwan Strait decoy.

Figure 6: China preparing for war in the Taiwan Strait decoy.

The second decoy was observed in November 2020. Interestingly, this decoy had the same hash of the next stage RTF and the DLL payloads used in the first decoy document.

  • File name: Suparco Vacancy Notification.docx
  • Hash: 59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c
  • RTF hash: 686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424
  • DLL hash: 1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126
  • PDB path: C:\Users\admin\Documents\dll\linknew\Release\linknew.pdb
  • C2: recent[.]wordupdate.com

This decoy posed as a job application form for the Pakistan Space & Upper Atmosphere Research Commission (SUPARCO).

SUPARCO vacancy notification decoy.

Figure 7: SUPARCO vacancy notification decoy.

Also in November 2020, we identified another highly targeted decoy:

  • Hash: 59cd62ad204e536b178db3e2ea10b36c782be4aa4849c10eef8484433a524297
  • RTF hash: 3ce48f371129a086935b031333387ea73282bda5f22ff78c85ee7f0f5e4625fe
  • DLL hash: ea52d6358d53fc79e1ab61f64cb77bb47f773f0aa29223b115811e2f339e85f5
  • PDB path: C:\Users\admin\Documents\dll\linknew\Release\linknew.pdb
  • C2: recent.wordupdate.com

This decoy focused on another attention-grabbing topic—what to expect from Joe Biden, the new president of the United States, related to top nuclear weapons issues. The DLL file connected to the same C2 and contained the same PDB path in the above two documents.

Top nuclear weapons issues decoy.

Figure 8: Top nuclear weapons issues decoy.

Based on the decoys and the topics, we believe the campaign is ongoing with selected targets. As the C2 TTL is short lived, we believe the threat actor is tailoring the attacks to selected targets and taking down their attack elements.

Targeted attacks will always try to leverage the latest news with high media attention to tailor attacks. The Warzone RAT was deployed as the final stage payload to monitor and carry surveillance on the victim's machine. While traditional solutions have a detection stance against such threats, it is always recommended to have a layered security approach that has advanced analytics and granular visibility of targeted attacks and the next stage payloads used in their attack kill chains.

















YARA rule

rule upt_Confucius_apt_dll {
		description="DLL used by Confucius"
		author = "abhijit mohanta"
		date = "January 2021"

		$upt_APT_10 = { 61 00 00 ?? 61 00 00 ?? 67 00 00 ?? 66 00 00}
		$upt_APT_11=  { 62 00 00 ED 61 00 00 99 66 00 00 77 66 00 00}
		$upt_APT_21 = ".gfids"  ascii wide 

		(any of ($upt_APT_1*)) and $upt_APT_21