Rewterz Threat Alert – ‘Confucius’ APT group Targeting Pakistan

Rewterz Threat Advisory – Apache ActiveMQ message.jsp cross-site scripting

February 9, 2021

Rewterz Threat Advisory – Apache Ambari directory traversal

February 9, 2021

Rewterz Threat Alert – ‘Confucius’ APT group Targeting Pakistan

Severity

High

Analysis Summary

Threat actor Confucius’ has been active most recently and is targeting Pakistan with malicious files. Confucius’ APT group campaigns were reportedly active as early as 2013, abusing Yahoo! And Quora forums as part of their command-and-control (C&C) communications. Confucius’ operations include deploying bespoke backdoors and stealing files from their victim’s systems with tailored file stealers. The stolen files are then exfiltrated by abusing a cloud service provider. Some of these file stealers specifically target files from USB devices, probably to overcome air-gapped environments.

Impact

Information theft and espionage

Indicators of Compromise

Filename

update

MD5

feb6a0dc922843c710bd18edddb67980

SHA-256

8ecf1c276e10e3f3e9f7bc9e728fde9abea23348a2af6ce70269008d632a412d

SHA1

f317a837f52c4488e3de6eb665f13ae582474b47

URL

http[:]//mlservices[.]online/sync/update
http[:]//mlservices[.]online/content/upgrade

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.

Rewterz Threat Advisory – Apache ActiveMQ message.jsp cross-site scripting

Rewterz Threat Advisory – Apache Ambari directory traversal

Rewterz Threat Alert – ‘Confucius’ APT group Targeting Pakistan

Severity

Analysis Summary

Impact

Indicators of Compromise

Filename

MD5

SHA-256

SHA1

URL

Remediation

Security Operations Centers across the region

Saudi Arabia

UAE

Oman

Pakistan