Researchers from Trend Micro linked a recently discovered actor, tracked as Urpage, to the hacking groups known as Bahamut, Confucius, and Patchwork.
Trend Micro first connected the Confucius group to the Patchwork crew in early 2018, then discovered many similarities between the groups.
The Patchwork (aka Dropping Elephant and Chinastrats) was first spotted by Kaspersky Lab in 2016, when the group targeted organizations in multiple industries, The activities of the group are focused on diplomatic and government targets, in some campaigns it also targeted private businesses.
China’s foreign relations efforts appear appeared to represent the main interest of the Patchwork group.
“In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and another threat actor called Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”” reads the analysis published by Trend Micro.
“What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats.”
Back to the present, the Urpage hackers target InPage word processor used for Urdu and Arabic languages for both Windows and Mac systems. The attackers leverage a Delphi backdoor that links it to Confucius and Patchwork groups, as well as an Android malware similar to Bahamut one.
The Android malware used by the Urpage group connects its own command and control (C&C) infrastructure.
Some of the C&C websites used by the group also act as phishing sites that lure users into downloading malicious applications.
“The threat actor sets up these fake websites describing the application and linking to the Google Play Store to download it, like in the case of the malicious website, pikrpro[.]eu, seen below” continues the report.
The Urpage malware is a data stealer like the Bahamut applications, it can collect data from the infected host such as network information and the MAC address, it can steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.
Experts noticed that some C&C also host other malicious documents that link the Urpage group to the other groups.
One of the C&Cs was hosting a weaponized RTF file that triggers the CVE-2017-8750 flaw and an InPage file that exploits CVE-2017-12824.
Another similarity between Urpage and the other groups is the use of the same Delphi file stealer.
Concluding, the Urpage appears to be linked to the other threat actors, a link that is very close with the Patchwork group that leverages the same Android application, uses the same the registration pattern for C&C and the infrastructure is close to an old Patchwork domain.
The evidence collected by the experts suggest the attacks conducted by the groups are part of a wider coordinated operation.
“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets. We’ve summarized all the mentioned findings in the table below.” concludes Trend Micro.