Connect with us

Hi, what are you looking for?



Researchers Draw Connections Between APTs

A newly discovered threat group shares similarities with three advanced persistent threats (APTs), Trend Micro security researchers have discovered.

A newly discovered threat group shares similarities with three advanced persistent threats (APTs), Trend Micro security researchers have discovered.

Referred to as Urpage, the actor is connected to the hacking groups known as Bahamut, Confucius, and Patchwork. Trend Micro found a connection between Confucius and Patchwork in early 2018, but continued the investigation and discovered further evidence of similarities between the groups.

Also known as Dropping Elephant and Chinastrats, Patchwork is a cyberespionage group that associated with various attacks last year. Operating out of the Indian subcontinent, it targets various entities, including United States-based think tanks.

Urpage, which targets InPage (a word processor for Urdu and Arabic languages under Windows and Mac and a de facto standard Urdu publishing tool), is using a Delphi backdoor component that links it to Confucius and Patchwork, as well as Bahamut-like malware, Trend Micro reveals.

Specifically, the actor is using Android malware that matches Bahamut’s cod
e, but which connects to its own command and control (C&C) infrastructure. Also acting as phishing sites, some of these C&C’s attempt to lure users into downloading malicious applications via links to Google Play (the programs are no longer available in the portal).

However, not all C&C websites advertise malicious applications, the security researchers warn. Some of them only contain a random template with empty categories.

Urpage’s malicious programs are designed to steal information from the compromised machines, the same as Bahamut applications to. They can retrieve network information and the MAC address, steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.

Advertisement. Scroll to continue reading.

One of the applications works on top of a modified version of the legitimate Threema end-to-end encrypted messaging software to steal screenshots of messages. While the modified app works normally, the malicious code, which is hidden from the user, takes screenshots every 10 seconds.

The attacker-linked websites also host malicious documents that link Urpage to other threat actors. These include a RTF file that exploits the CVE-2017-8750 and an InPage file that exploits CVE-2017-12824, both of which are dropping VB backdoors.

Trend Micro discovered that Urpage uses the same Delphi file stealer as the threat actor Confucius, and also that the two are linked via a couple of malicious RTF files that download a similar script.

With the Patchwork group also using the Delphi file stealer, the three groups appear related in some form. The link with Patchwork is further strengthened by an Android application that features code similar to that of Bahamut and a C&C that uses the registration pattern of Patchwork’s group, along with infrastructure close to an old Patchwork domain.

“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets,” Trend Micro concludes.

Related: Patchwork Cyberspies Target U.S. Think Tanks

Related: Patchwork Cyberspies Update the Badnews Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...