Confucius APT, a threat actor/group primarily targeting government sectors in South Asia is active again in the region and targeting Pakistani officials in their latest decoy campaign deploying their Warzone RAT. the threat actor is trying to circumvent attacks with decoys that deliver the next stage payload via the template injection technique and a short C2 TTL (Time to Live).
A Warzone RAT was sent via malicious emails in the attack kill chain of the decoy document which indicates the capabilities of the cruise missiles implications for the Indian AIrforce and army. This is a very well-planned activity that is well thought and the document was crafted by the attacker group to entice the victims or targets into opening a file related to the ongoing India China border tension.
The document used template injection to download the next stage RTF exploit that downloaded the final stage Warzone payload using a DLL embedded in the RTF exploit.
The various phases of the attack are as follows:
The second decoy was observed in November 2020. Interestingly, this decoy had the same hash of the next stage RTF and the DLL payloads used in the first decoy document.
Another decoy document was found as an attachment which focuses on the Biden administration and what to expect from them in terms of nuclear weapon issues. The DLL file connected to the same C2 and contained the same PDB path in the above two documents.