Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researchers Draw Connections Between APTs

A newly discovered threat group shares similarities with three advanced persistent threats (APTs), Trend Micro security researchers have discovered.

A newly discovered threat group shares similarities with three advanced persistent threats (APTs), Trend Micro security researchers have discovered.

Referred to as Urpage, the actor is connected to the hacking groups known as Bahamut, Confucius, and Patchwork. Trend Micro found a connection between Confucius and Patchwork in early 2018, but continued the investigation and discovered further evidence of similarities between the groups.

Also known as Dropping Elephant and Chinastrats, Patchwork is a cyberespionage group that associated with various attacks last year. Operating out of the Indian subcontinent, it targets various entities, including United States-based think tanks.

Urpage, which targets InPage (a word processor for Urdu and Arabic languages under Windows and Mac and a de facto standard Urdu publishing tool), is using a Delphi backdoor component that links it to Confucius and Patchwork, as well as Bahamut-like malware, Trend Micro reveals.

Specifically, the actor is using Android malware that matches Bahamut’s cod
e, but which connects to its own command and control (C&C) infrastructure. Also acting as phishing sites, some of these C&C’s attempt to lure users into downloading malicious applications via links to Google Play (the programs are no longer available in the portal).

However, not all C&C websites advertise malicious applications, the security researchers warn. Some of them only contain a random template with empty categories.

Urpage’s malicious programs are designed to steal information from the compromised machines, the same as Bahamut applications to. They can retrieve network information and the MAC address, steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.

One of the applications works on top of a modified version of the legitimate Threema end-to-end encrypted messaging software to steal screenshots of messages. While the modified app works normally, the malicious code, which is hidden from the user, takes screenshots every 10 seconds.

Advertisement. Scroll to continue reading.

The attacker-linked websites also host malicious documents that link Urpage to other threat actors. These include a RTF file that exploits the CVE-2017-8750 and an InPage file that exploits CVE-2017-12824, both of which are dropping VB backdoors.

Trend Micro discovered that Urpage uses the same Delphi file stealer as the threat actor Confucius, and also that the two are linked via a couple of malicious RTF files that download a similar script.

With the Patchwork group also using the Delphi file stealer, the three groups appear related in some form. The link with Patchwork is further strengthened by an Android application that features code similar to that of Bahamut and a C&C that uses the registration pattern of Patchwork’s group, along with infrastructure close to an old Patchwork domain.

“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets,” Trend Micro concludes.

Related: Patchwork Cyberspies Target U.S. Think Tanks

Related: Patchwork Cyberspies Update the Badnews Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.