A newly discovered threat group shares similarities with three advanced persistent threats (APTs), Trend Micro security researchers have discovered.
Referred to as Urpage, the actor is connected to the hacking groups known as Bahamut, Confucius, and Patchwork. Trend Micro found a connection between Confucius and Patchwork in early 2018, but continued the investigation and discovered further evidence of similarities between the groups.
Also known as Dropping Elephant and Chinastrats, Patchwork is a cyberespionage group that associated with various attacks last year. Operating out of the Indian subcontinent, it targets various entities, including United States-based think tanks.
Urpage, which targets InPage (a word processor for Urdu and Arabic languages under Windows and Mac and a de facto standard Urdu publishing tool), is using a Delphi backdoor component that links it to Confucius and Patchwork, as well as Bahamut-like malware, Trend Micro reveals.
Specifically, the actor is using Android malware that matches Bahamut’s code, but which connects to its own command and control (C&C) infrastructure. Also acting as phishing sites, some of these C&C’s attempt to lure users into downloading malicious applications via links to Google Play (the programs are no longer available in the portal).
However, not all C&C websites advertise malicious applications, the security researchers warn. Some of them only contain a random template with empty categories.
Urpage’s malicious programs are designed to steal information from the compromised machines, the same as Bahamut applications to. They can retrieve network information and the MAC address, steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.
One of the applications works on top of a modified version of the legitimate Threema end-to-end encrypted messaging software to steal screenshots of messages. While the modified app works normally, the malicious code, which is hidden from the user, takes screenshots every 10 seconds.
The attacker-linked websites also host malicious documents that link Urpage to other threat actors. These include a RTF file that exploits the CVE-2017-8750 and an InPage file that exploits CVE-2017-12824, both of which are dropping VB backdoors.
Trend Micro discovered that Urpage uses the same Delphi file stealer as the threat actor Confucius, and also that the two are linked via a couple of malicious RTF files that download a similar script.
With the Patchwork group also using the Delphi file stealer, the three groups appear related in some form. The link with Patchwork is further strengthened by an Android application that features code similar to that of Bahamut and a C&C that uses the registration pattern of Patchwork’s group, along with infrastructure close to an old Patchwork domain.
“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets,” Trend Micro concludes.