Trend Micro researchers previously identified similarities in the malicious code used by the groups’ as well as the targets themselves with both gangs primarily going after targets in South Asia with Confucius still aiming for Pakistani targets.
Both groups exploited a backdoor with the same configuration file structure and commands in their malware and Patchwork recently used Delphi malware similar to some of the Delphi malware used by Confucius.
During their previous campaign, Confucius used fake romance websites to entice victims into installing malicious Android applications but most recently the gang has set up two new websites and new payloads designed to compromise targets.
The first website uses adult content to lure victims into downloading an Android application called Fuddi Duniya, which links to a website that displays nude pictures every day.
The app’s features are similar to those of previously malware used by the group and allow the ability to record audio and steal SMS, accounts, contacts and certain file types from specific directories and its APK is linked directly from the homepage, with a disclaimer stating that Google Play does not allow pornography in their store.
The second fake website is advertised as a matchmaking chat app and looks to trick users into downloading malware with the same features as the other website’s app.
In addition to its Delphi malware campaign, researchers have spotted Patchwork sending multiple RTF files exploiting CVE-2017-8570 to drop modified versions of the Remote Administration Tool QuasarRAT.
In order to prevent infection, researchers recommend organizations take more proactive and focused security posture that can cover the most ground in terms of security.