Analysis Summary

The Confucius APT group, known for targeting government and military entities in South and East Asia, has reemerged with a highly sophisticated espionage campaign. Security researchers have discovered a new modular backdoor framework named Anondoor, marking a significant evolution in the group’s attack chain and tactics. The new campaign leverages advanced modular architecture, dynamic C2 communication, and sandbox evasion techniques to conduct stealthy operations and evade detection.

The attack begins with a malicious .lnk file that triggers the download of multiple payloads: python313.dll (Anondoor), BlueAle.exe (a legitimate Python binary), and a task scheduler entry to maintain persistence under the name SystemCheck. Anondoor is implemented as a C# DLL and uses the .invoke method to dynamically load and execute specific functions, thereby avoiding static analysis and sandbox detection.

Once installed, Anondoor collects detailed system information, including OS version, IP addresses, host and user names, disk layout, and firmware UUID. This information is concatenated with a unique marker and transmitted to the attacker's C2 server. Instead of relying on hardcoded URLs, the malware constructs dynamic, parameterized requests to fetch additional modules and instructions. Commands and components are delivered in base64-encoded, custom-formatted strings that define module IDs, execution directives, and download URLs.

Notably, the malware supports on-demand loading of additional C# modules, including the previously identified Wooperstealer credential theft tool. This enables a wide array of espionage functions while keeping the initial malware footprint minimal.

The use of dynamic C2 infrastructure, modular loading, and obfuscated communications makes Anondoor particularly difficult to detect or attribute. Even if some components are intercepted, attackers can conceal their actual infrastructure, significantly complicating both forensic analysis and mitigation efforts.

Impact

• Credentials Theft
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

SHA1

• 21635f595f1834f67b2288827704ab9440955e8d

Remediation

• Block execution of .lnk files from untrusted sources
• Monitor for unusual scheduled tasks like "SystemCheck"
• Deploy behavioral-based endpoint detection and response (EDR) tools
• Restrict use of legitimate tools like pythonw.exe to approved applications
• Inspect outbound traffic for encoded or anomalous base64 patterns
• Regularly update and patch systems to reduce exploit surface
• Conduct network segmentation to limit lateral movement
• Apply application whitelisting to control DLL and executable execution
• Train users to recognize and report suspicious file attachments
• Implement strict email filtering to block initial infection vectors