The Confucius malware has been developed with a word puzzle mechanism used to determine the malicious remote C&C servers.
The Confucius Malware Uses a Novel Technique to Communicate with the Remote C&C Servers
Security experts from Palo Alto Networks identified two peculiar malware samples of the Confucius malware that uses an interesting approach to C&C server communication. The simple malware usually uses hardcoded addresses while the most complex strains use DGA algorithms.
The Confucius malware uses a quite distinct approach. It uses HTTP requests to well-known sites such as Yahoo and Quora pages – popular communities, where people often search for answers to specific questions.
The two samples operate in different ways according to the research notes:
- The First sample, named CONFUCIUS_A, accesses the page’s source code and looks for the start and stop markers. It extracts the words between these two locations and converts the data to an IPv4 address. It covers all numbers between 1 to 255 which indicates that is a carefully planned mechanism.
- CONFUCIUS_B uses a similar approach. However the words are converted to digits. The malware translates the numbers from the converted numbers. The researchers uncovered a lookup table in the source code of the threat.
The first sample was used in attack campaigns against Pakistani officials. The second sample was identified in a cyber-espionage campaign known as Operation Patchwork, which targeted most of India’s neighbors. From this, the security experts conclude that the malicious operators of the malware strain are probably from India. The researchers believe that a single hacker or hacker collective is responsible for both strains.
It is highly likely that future attack campaigns may use the CONFUCIUS malware in India. It would be interesting to see if their approach is effective and will other malware pick up this strategy in future or new versions as well.
