Confucius Hackers Up Their Game With Multi-Stage Office Doc Attack
Cybersecurity researchers have uncovered a sophisticated multi-stage infection chain employed by the Confucius hacking group, believed to be linked to China. The group has escalated its operations using malicious Office 365 documents to compromise Windows endpoints with a new Python-based backdoor, AnonDoor.
The campaign begins with spear-phishing emails containing corrupted PPSX or DOCX attachments. Opening these documents triggers a background fetch of a secondary document, mango44NX.doc, from a remote server. This document exploits a vulnerability in OLE objects, initiating a chain of events involving VBScript droppers, PowerShell loaders, and scheduled tasks for persistence and evasion.
The first deployment of AnonDoor in this campaign was noted by Fortinet researchers, using a VBScript dropper hosted at greenxeonsr.info. This dropper downloads a raw DLL payload, stages execution via DLL side-loading, and ensures persistence by copying a legitimate executable and writing a registry key. The DLL reaches out to multiple C2 domains to retrieve further payloads, including the WooperStealer module and additional configuration files.
Defensive teams should monitor for anomalous OLE object behavior, unexpected registry modifications, and unusual DLL loads within Office Depot processes to mitigate this threat. The Confucius group demonstrates advanced operational security and resilience against endpoint defenses by chaining document-based exploitation with obfuscated scripting and DLL side-loading.
The Confucius hacker group has escalated its operations, employing a multi-stage infection chain involving Office 365 documents, scripts, and DLL side-loading. Security teams must remain vigilant and monitor for unusual activity to mitigate this evolving threat.
Read also:
- China's Automotive Landscape: Toyota's Innovative Strategy in Self-Driving Vehicles
- Strengthening Defense Against Combined Cyber Threats during the Age of Technological Autocracy
- Nissan Fortifies Supply Chain and Cybersecurity with KPMG, PwC Partnerships
- Enlarged Financial Plan of MGM Osaka Integrated Resort Surpasses $10 Billion Mark
