Confucius hacker group targets singles in romance scam to steal data via backdoor chat apps
The hackers use social engineering and romance to lure their targets into downloading malware.
Hackers are going after singles in a new romance scam. A South Asian hacker group called Confucius has been using social engineering and romance to steal data from victims. The hacker group was found targeting military personnel, businessman and others in South Asian countries.
According to security researchers at Trend Micro, who discovered the new campaign, Confucius' operations bear similarities to a cyberespionage group known as Patchwork or Dropping Elephant. According to previous reports, the Confucius hacker group has been active since 2013.
"Are Patchwork and Confucius the same group? The commands in their backdoors do resemble each other. The configfiles have a similar, custom structure, and both groups have infrastructure overlap," the Trend Micro researchers said in a blog. "However, we construe them to be different groups, possibly within the same community, with different objectives and modi operandi. While Patchwork may be more straightforward with its predominantly malware-based attacks, Confucius' can be inferred to be more nuanced, relying heavily on social engineering."
The hacker group developed customised fake chat apps for both Android and Windows operating systems, which come with backdoor functionalities, to steal victims' data. The fake backdoor-capable chat apps called Simple Chat Point, Secret Chat Point, and Tweety Chat were used by the hackers to not only steal messages but also gain remote control of victims' devices.
According to the Trend Micro researchers, the hackers' backdoor-capable fake Android chat apps can steal SMS messages, accounts, contacts, and files and even record audio. The researchers also found that Tweety Chat's Android version was capable of muting a victim's device, as well as sync call logs and SMS messages.
Besides, the researchers found that Confucius hackers tagged systems related to security researchers, likely in efforts to evade detection.
"Confucius' operations include deploying bespoke backdoors and stealing files from their victim's systems with tailored file stealers, some of which bore resemblances to Patchwork's. The stolen files are then exfiltrated by abusing a cloud storage service. Some of these file stealers specifically target files from USB devices, probably to overcome air-gapped environments," the Trend Micro researchers said. "At the time of research, there were around 60 victims whose data were uploaded to Confucius-owned cloud storage account. There were also a few thousand files in the account that were later deleted."