{
	"id": "9ef3b998-7101-4f02-9dce-aa78d1404a6c",
	"created_at": "2026-04-06T00:09:55.691079Z",
	"updated_at": "2026-04-10T03:33:56.948492Z",
	"deleted_at": null,
	"sha1_hash": "3ce361b368e7909b3a9376b399c79d34d0850571",
	"title": "奇安信威胁情报中心",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2428288,
	"plain_text": "奇安信威胁情报中心\r\nArchived: 2026-04-05 13:47:55 UTC\r\nOverview\r\nRecently, QiAnXin Threat Intelligence Center found a series of targeted attacks against Pakistan targets. Attacker\r\nexploited one vulnerability (CVE-2017-12824) of InPage to craft bait documents (.inp). InPage is a word processing\r\nsoftware designed specifically for Urdu speakers (official language in Pakistan). In addition, Office documents with\r\nCVE-2018-0798 vulnerability were also used in the attack. Kaspersky disclosed one target attack in which InPage\r\nvulnerability was exploited in November 2016[6] . However, first attack by using such software vulnerability can be\r\ntraced back to June 2016[14].\r\nThrough the analysis of this group of documents with InPage vulnerabilities and related attack activities, we can\r\nconclude that the attacker is BITTER APT organization disclosed by us in 2016 [5] . After further analysis, some\r\nsamples in the attack have strong connections with some APT groups, specifically Patchwork, Bahamut, and\r\nConfucius. That shows more connections among those 4 APT groups from South Asian.\r\nTimeline\r\nQiAnXin Threat Intelligence Center sorts out the timeline of targeted attacks in which InPage vulnerability was\r\nexploited in the past two years as following:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 1 of 36\n\nInPage Vulnerability Analysis (CVE-2017-12824)\r\nThe scan result of documents with InPage vulnerability on VirusTotal:\r\nInPage is a word processing software specially designed for Urdu speakers, and the vulnerability number involved in\r\nthe wild attack sample is CVE-2017-12824.\r\nAfter the analysis of the vulnerability by QiAnXin Threat Intelligence Center, it was found that the vulnerability was\r\ncaused by the fact that InPage word processing software did not check the data type (Type) to be processed when it is\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 2 of 36\n\nprocessing document flow, which led to the out-of-bounds reading. Through carefully constructed InPage document,\r\narbitrary code could be triggered to execute.\r\nWe used InPage 2015 software environment to analyze the vulnerability in detail, and the process is as follows.\r\nInPage 2015\r\nCause of Vulnerability: Out-of-bound Read\r\nThe essence of the CVE-2017-12824 vulnerability is out-of-bound Read. The InPage word processor does not check\r\nthe data type to be processed while processing the InPage100 stream in the document, and the data type to be\r\nprocessed is specified by a field in the InPage document. This allows an attacker to cause an InPage program to make\r\nan out-of-bounds read error by setting a value outside the Type range.\r\nThe key data structures that trigger the vulnerability in document (.inp) are as follows. 0x7E and 0x72 represent a class\r\nof type in the document stream to be processed. We mark 0x7E as Type1 and 0x72 as Type2:\r\nInPage processes a.inp file as follows:\r\nInPage first calls Ole!The StgCreateDocfile function parses the entire.inp file and then calls Ole! COleStreamFile: :\r\nOpenStream open InPage InPage100 data flow in the document:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 3 of 36\n\nAll the processing logic related to the InPage100 stream will be carried out in PraseInPage100_432750 function, and\r\nthe data in the stream will be read with the callback function InPage100Read_440ED0:\r\nThe trigger vulnerability Type data, 0x7E and 0x72 mentioned earlier, is eventually processed by the function\r\nsub_453590.The buf in the figure below reads the data containing Type by calling InPage100Read_440ED0:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 4 of 36\n\nThe vulnerability function sub_453590 will select the corresponding processing process according to Type1 and Type2\r\n(0x7E and 0x72 bytes). First, it reads the function pointer array according to Type1, then reads the function from the\r\nfunction pointer array according to Type2, and finally calls the function to process data:\r\nLet's look at the assignment and range of dword_656A28 in the figure above:\r\nType1 = ECX(0x1F8)\u003e\u003e2 = 0x7E(126), Type2 = EDI(0x72) :\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 5 of 36\n\nFind the assignment of dword_656A28[0x7E] through IDA Pro:\r\nYou can see that the actual size of the dword_656E60 array is 30 (0x1E) :\r\nSince the size of Type2 in the vulnerability document is set to 0x72, EDI=0x72, but the InPage does not judge the size\r\nof Type2 passed in, this will result in access to dword_656E60[0x72], and because 0x72\u003e30(0x1E), an out-of-bounds\r\nread error occurs.\r\nThe Exploitation\r\nSince the attacker sets Type2 in the document to 0x72, after addressing calculation, the code at the function address\r\n0x00455AFA will be accessed across the line:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 6 of 36\n\nYou can see that dword_656E60[0x72] (0x455AFA) is just a pop retn instruction:\r\nThe pop retn instruction sequence plays a role as \"jump\" address, when performing Type related processing function,\r\ndue to the incoming parameters (pointer: 0 x031e383f) pointing to a data InPage document flow, an attacker can fill the\r\ncontrollable data flow with ShellCode, so after the pop retn instructions will be returned directly to the attacker set\r\nShellCode executed:\r\nHowever, the InPage program does not turn on DEP and ASLR protection, which results in ShellCode being directly\r\nexecuted:\r\nAnalysis of Four Types of Attack Framework Using InPage Vulnerability\r\nQiAnXin Threat Intelligence Center conducted analysis on the samples with InPage vulnerabilities in Pakistan, found\r\nthat a number of samples generated time, size, initial ShellCode InPage100 document flow and related flow label all\r\nconsistent. We can confirm that those samples come from same source.\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 7 of 36\n\nThrough the analysis of this batch of InPage vulnerability utilization documents and relevant malicious code, we found\r\nthat the malicious code carried by the vulnerability documents used four different types of attack frameworks: four\r\ntypes of completely different backdoor programs. The analysis is as follows.\r\nWSCSPL:Full - featured Backdoor\r\nA decoy document captured by QiAnXin Threat Intelligence Center is called \"SOP for Retrieval of Mobile Data\r\nRecords. Inp\" (SOP for Mobile Data Records Retrieval). Cve-2017-12824 vulnerability utilization document will\r\neventually download and execute a full-featured back door program named WSCSPL.\r\nRelevant vulnerability utilization document information is as follows:\r\nMD5 863f2bfed6e8e1b8b4516e328c8ba41b\r\nThe file name For Retrieval of Mobile Data Records, SOP for Retrieval of Mobile Data Records. Inp\r\nShellCode\r\nAfter the bug is successfully triggered, ShellCode will locate the main function ShellCode by searching the special\r\nlogo \"27862786\". Then it will download Payload from khurram.com.pk/js/drv and save it to c:\\conf\\ smss.exe for\r\nexecution:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 8 of 36\n\nDownloader\r\nMD5 c3f5add704f2c540f3dd345f853e2d84\r\nCompile\r\ntime\r\n2018.9.24\r\nPDB path\r\nC: \\ Users \\ Asterix \\ Documents \\ 28 novdwn VisualStudio2008 \\ Projects \\ \\ Release \\ 28 novdwn\r\nPDB\r\nThe downloaded EXE file is mainly used to communicate with C2 and obtain the executables of other modules. After\r\nexecution, the registry key value (key: HKCU\\Environment, key value: AppId, data: c:\\ Intel \\drvhost. EXE) will be set\r\nfirst.\r\nPersistence is achieved by adding itself to the registry bootstrap:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 9 of 36\n\nAnd determine whether the current process path is c:\\ Intel \\drvhost. Exe, if not, copy itself to the path and execute:\r\nWhen the process path meets the conditions, the machine GUID, computer user name and other information obtained\r\nfrom the registry are encrypted and concatenated into a string:\r\nThen send the constructed string to communicate with C2:nethosttalk.com and get the command to execute again:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 10 of 36\n\nIn this case, the C2 server returns an AXE:# instruction. The native program determines whether the instruction is an\r\nAXE:# or an AXE.\r\nIf \"AXE:#\" is followed by the string content, the plug-in is downloaded and executed\r\nIn the process of debugging and analysis by QiAnXin Threat Intelligence Center analysts, we successfully obtained an\r\nexecutable plug-in named \"WSCSPL\" :\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 11 of 36\n\nBackdoor - WSCSPL\r\nMD5 1c2a3aa370660b3ac2bf0f41c342373b\r\nCompile time 2018.9.13\r\nOriginal file name Exe winsvc.\r\nThis Trojan has same functionality as the Trojan used by Patchwork APT group disclosed by us in 2016[5]. The Trojan\r\nsupports 17 commands, including uploading a list of hard disk, finding, reading, creating a specified file, enumerating\r\na list of processes, and ending a specified process. Trojan function analysis is as follows:\r\nSet two 10-second interval timers after the Trojan program runs:\r\nTimer 1: request the IP of C\u0026C:wcnchost.ddns.net. If the request is successful, save the IP to the global variable\r\nand set the id variable to 1.\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 12 of 36\n\nTimer 2: check the value of the identifying variable, if 1, try to connect C\u0026C:\r\nThen create two threads:\r\nThread 1: detects the connection status with C\u0026C and receives the C\u0026C command executable if the connection\r\nis successful\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 13 of 36\n\nThread 2: checks whether the global variable dword_C9618 has data, and if so, sends the data to C\u0026C\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 14 of 36\n\nThe command execution code snippet is as follows:\r\nTrojan’s all commands and corresponding functions are shown in the following table:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 15 of 36\n\n3000 Get RAT status information\r\n3001 Get computer hard disk information\r\n3002 Gets the list of files in the specified directory\r\n3004 Get RAT log 1\r\n3005 Create the specified file\r\n3006 Writes data to the create file\r\n3007 Open the specified file\r\n3009 Reads the contents of the specified file\r\n3012 Create remote console\r\n3013 Execute remote commands\r\n3015 Get RAT log 2\r\n3016 End remote console\r\n3017 Closes the specified handle\r\n3019 Gets a process that has an UPD active link\r\n3021 Get RAT log 3\r\n3032 End the specified process\r\n3023 Gets process information in the system\r\n3025 Get RAT log 4\r\nVisual Basic Backdoor\r\nAnother captured vulnerability exploit document, CVE-2017-12824 named ‘AAT national assembly final.inp’, drop\r\nthe backdoor written by Visual Basic.\r\nRelevant vulnerability document information is as follows:\r\nMD5 ce2a6437a308dfe777dec42eec39d9ea\r\nThe file name The AAT national assembly final. Inp\r\nShellCode\r\nFirst, ShellCode triggered by the vulnerability locates the main ShellCode through the memory global search string\r\n\"LuNdLuNd\" :\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 16 of 36\n\nLocate the main ShellCode and get the API functions you want to use, and ensure that only one instance runs by\r\ncreating the mutex \"QPONMLKJIH\" :\r\nThen extract a DLL module contained in the document and execute it by memory loading:\r\nDropper\r\nMD5 43920ec371fae4726d570fdef1009163\r\nThe PDP path C: \\ users \\ mz \\ documents \\ visualstudio2013 \\ Projects \\ Shellcode \\ Release \\ Shellcode PDB\r\nThe DLL file loaded in memory is a Dropper, which contains two resource files, \"Bin\" and \"Bin2\" :\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 17 of 36\n\nBin file is the back door program written by Visual Basic, while Bin2 is the normal inp decoy file released and opened\r\nafter the vulnerability is triggered. The contents of relevant decoy documents are as follows:\r\nBackdoor - SMTPLDR. Exe\r\nMD5 694040b229562b8dca9534c5301f8d73\r\nCompile time 2018.7.4\r\nOriginal file name Exe SMTPLDR.\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 18 of 36\n\nBin file is a backdoor program written by Visual Basic, which is mainly used to obtain command execution. After the\r\nTrojan horse runs, it first gets the installed application name of the current system from\r\n\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\" :\r\nThen determine whether the installed application includes kaspersky, NORTON, trend technology and other related\r\nsoftware killing applications:\r\nThen WMI executes the select * from win32_computersystem command to get the application information and detect\r\nthe virtual machine environment by determining whether the word \"virtual\" is included in the name:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 19 of 36\n\nIf the detection is in the virtual machine environment, the popover displays not a valid file and exits:\r\nIf the detection passes, \"SMTP Loader. LNK\" will be created in the directory of %Start% to achieve self-startup:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 20 of 36\n\nFinally, it communicates with C\u0026C: referfile.com to obtain subsequent instruction execution:\r\nDelphi Backdoor Program\r\nQiAnXin Threat Intelligence Center found a batch of backdoor written by Delphi through big data correlation, which\r\nare also documents with InPage vulnerability. Relevant sample information is as follows:\r\nMD5 fec0ca2056d679a63ca18cb132223332\r\nOriginal file name Exe adobsuit.\r\nThe captured Delphi backdoor is the same as the backdoor written by Visual Basic, which is also released from the\r\nresource file by similar Dropper and created by creating Adobe creative suit. LNK file in the directory of %Start% and\r\npointing to the implementation of persistence:\r\nThe backdoor will Ducument in % % folder to create the users. The TXT file, and random write 30 bytes of the string:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 21 of 36\n\nTrojan program will access to a computer user name and the computer user name after encrypting the Ducument to %\r\n% / SyLog. The log file:\r\nAfter that, I communicated with C2:errorfeedback.com and sent the contents of sylog.log file as POST:\r\nWhen C2 returned to Success, and C2 communication in the form of HTTP GET request again, if return a string,\r\ncontinued to from \"errorfeedback.com/ MarkQuality455 TTGKWoFdyQHEwpyYKmfVGtzQLfeqpJ/string\" perform\r\ndownload the following content:\r\nA Backdoor Using Cobalt Strike\r\nAnother captured InPage vulnerability exploit document ends up executing a backdoor generated by Cobalt Strike,\r\nwith the following documentation information:\r\nMD5 74aeaeaca968ff69139b2e2c84dc6fa6\r\nThe file type InPage vulnerability exploit documentation\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 22 of 36\n\nFind the time 2018.11.02\r\nShellCode\r\nAfter the vulnerability is successfully triggered, ShellCode first locates the main ShellCode with the special identifier\r\n\"LuNdLuNd\", and then loads the attached DLL in memory and executes.\r\nDropper\r\nMD5 ec834fa821b2ddbe8b564b3870f13b1b\r\nPDB path C: \\ users \\ mz \\ documents \\ visualstudio2013 \\ Projects \\ Shellcode \\ Release \\ Shellcode PDB\r\nMemory loaded DLL file and the above Visual Basic/Delphi back door, is also from the resources to release Trojan\r\nfiles and execute:\r\nDownloader - winopen. Exe\r\nMD5 09d600e1cc9c6da648d9a367927e6bff\r\nCompile time 2018.10.12\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 23 of 36\n\nRelease the Downloader executive called winopen. Exe, it will get a normal JPEG file header from\r\njospubs.com/foth1018/simple.jpg encrypted files, if successful, is from the JPEG file 49th bytes begin with 0 x86 or\r\ndecryption:\r\nThe decrypted file is a DLL file, which is then loaded and executed.DLL program will first determine the running\r\nenvironment and check whether the DLL loading process is rundll32.exe:\r\nIf the loading process is not rundll32.dll, release the backdoor program named aflup64.dll under C:\r\nProgramData\\Adobe64:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 24 of 36\n\nExe \"C:\\ ProgramData\\ Adobe64\\ aflup64.dll\", exe \"C:\\ ProgramData\\ Adobe64\\ aflup64.dll\"\r\nFinally, start rundll32.exe to load aflup64.dll and call its export function IntRun:\r\nBackdoor - aflup64. DLL\r\nMD5 91e3aa8fa918caa9a8e70466a9515666\r\nCompile time 2018.10.12\r\nExportation IntRun will do the same thing again, get the JPEG file, xor decrypt it, and then execute.Because it is\r\nthrough rundll32 starts, so will go to another branch, first create the mutex \"9 a5f4cc4b39b13a6aecfe4c37179ea63\" :\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 25 of 36\n\nThen, create \"nnp74DE. TMP\" file in the directory of %TEMP%. Then, execute the command tasklist, ipconfig./all,\r\ndir to get system process information, network information, file list and so on.\r\nThen get the machine ID, system version, current system time, connect all the acquired information beginning with\r\n\"tag FluffyBunny\", base64-encoded connect C\u0026C and upload:\r\nAfter the information transmission is successful, Base64 encoding of the string \"OK\" will be returned:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 26 of 36\n\nIf the request line is not successful, the request line is looped.After the successful launch, it will enter the second stage\r\nto send base64-encoded data of calculation name-user name to jospubs/foth1018/go.php and obtain the command\r\nexecution:\r\nThe format of relevant commands that can be obtained is in the form of \"number: parameter\", which supports 5\r\ncommands in total. The list of relevant commands is as follows:\r\nThe command ID function\r\n103 Download the Plugin and drop it into the %TEMP% directory\r\n105 Gets the file memory load\r\n115 Gets the contents of the parameter file\r\n117 Delete the start. LNK file\r\n120 Download the file to the %temp% directory and delete start.lnk\r\nThe Plugins - jv77CF. TMP\r\nMD5 c9c1ec9ae1f142a8751ef470afa20f15\r\nCompile time 2018.4.3\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 27 of 36\n\nIn the debugging process of QiAnXin Threat Intelligence Center analysts, we successfully acquired a Trojan horse\r\nplug-in which was executed on the ground.The Trojan plugin continues to get the encrypted file from pp5.zapto.org:\r\nUpon successful retrieval, hetero or decryption is performed, and the decrypted file is a remote back door generated by\r\nCobalt Strike:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 28 of 36\n\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 29 of 36\n\nAnalysis of CVE-2018-0798 Samples\r\nBy expanding the big data platform of QiAnXin Threat Intelligence Center, we found a vulnerability utilization\r\ndocument of Office CVE-2018-0798 belonging to the same series of attack activities.The document is called \"SOP for\r\nRetrieval of Mobile Data Records. Doc\", which is the same name as the InPage vulnerability for the release of the\r\nWSCSPL Trojan (with the same origin as the Retrieval of the impersonal Records). However, the vulnerability\r\ndocument is targeted at Microsoft Office.\r\nMD5 61a107fee55e13e67a1f6cbc9183d0a4\r\nThe file name For SOP for Retrieval of Mobile Data Records. Doc\r\nThe Objdata object information containing the vulnerability is as follows:\r\nAfter the vulnerability successfully triggers the execution, subsequent Payload executables will be obtained by means\r\nof the same download address as the SOP for Retrieval of Mobile Data Records. Inp (InPage) vulnerability makes use\r\nof the file for the Retrieval of Mobile Data Records:\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 30 of 36\n\nAttribution and Correlation\r\nQiAnXin Threat Intelligence Center through the analysis of this batch of InPage vulnerability utilization documents\r\nand related attack activities, it is the \"BITTER\" APT organization disclosed by 360 company in 2016 that is the group\r\nbehind the targeted attack using WSCSPL backdoor program[5]And after further analysis, many samples in the series\r\nof attacks are also strongly related to APT organizations such as mahagrass, Bahamut and Confucius.\r\nBITTER APT Group\r\nAfter in-depth analysis of several InPage vulnerability documents with a relatively short attack time by QiAnXin\r\nThreat Intelligence Center, it was found that the Trojan program released by the vulnerability document was the\r\nbackdoor program used by APT organization \"manlinghua\" exposed by 360 company in 2016[5], is the analysis of the\r\nWSCSPL full - featured backdoor program.\r\nCommand ID Function\r\n2000 Retrieve RAT status information\r\n2001 Retrieve hard disk list\r\n2002 Retrieve file list in given directory\r\n2004 Retrieve RAT log 1\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 31 of 36\n\n2005 Create file by given filename\r\n2006 Write bytes into created file (2005)\r\n2007 Open file\r\n2009 Read file content (2007)\r\n2012 Create remote console\r\n2013 Execute remote command\r\n2015 Retrieve RAT log 2\r\n2016 Terminate remote console\r\n2017 Close handle\r\n2019 Retrieve a list of processes with UPD activity link\r\n2021 Retrieve RAT log 3\r\n2022 Terminate process by process ID\r\n2023 Retrieve a list of active processes\r\n2025 Retrieve RAT log 4\r\nIn addition, many of these C\u0026C addresses are also strongly related to APT organization \"manlinghua\" in the internal\r\nanalysis platform of QiAnXin Threat Intelligence Center. These C\u0026C addresses have been repeatedly used in attacks\r\nagainst China.Therefore, the relevant attack activities can be identified as \"vine spirit flower\".\r\nRelation to Confucius\r\nDelphi backdoor attack framework used in the C\u0026C address errorfeedback.com in Trend Micro exploring Confucius\r\nand mahagrass similarity[10]Appears that the domain name has been disclosed as a trend of Confucius use.\r\nRelation to Patchwork\r\nThrough the in-depth analysis and correlation of Delphi backdoor attack framework mentioned above, we also found\r\nthat the attack framework and sample also appeared in the InPage attack sample analyzed by Palo Alto in 2017[13]Palo\r\nAlto thought the attack framework and backdoor might have something to do with mahagrass.\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 32 of 36\n\nRelation to \"Bahamut\"\r\nA vulnerability document \"AAT national assembly final.inp\" analyzed by QiAnXin Threat Intelligence Center into the\r\nattack activity was finally executed by the Trojan horse (Visual Basic backdoor program) using the domain name\r\nreferfile.com as C2, which was published by Cisco Talos security research team in July 2018 as \"a case of targeted\r\nattack against Indian iOS users\".[9]It was revealed that Talos security research team associated with this domain name\r\nwas also used by a Visual Basic backdoor program, and the related network assets were suspected to be owned by APT\r\norganization \"Bahamut\".\r\nSummary and Conjecture\r\nQiAnXin Threat Intelligence Center analyzed a group of document samples with same attribution (timestamp,\r\nShellCode, InPage100 flow size, flow characteristics) , and found that those samples use at least 4 different malicious\r\ncode framework, and have connections with \"PatchWork\", \"BITTER”, \"Confucius\", \"Bahamut\" APT organization has\r\nproduced more or less.Maybe these APT groups are actually one group? Or their digital weapons are provided by one\r\nvendor(Their supporter give them same exploitation tools)?\r\nThe following is a TTP summary of APT groups mentioned in this article:\r\nBITTER PatchWork Confucius Bahamut\r\nTarget China, Pakistan China, Pakistan South Asia\r\nSouth Asia (mainly\r\nPakistan), Middle East\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 33 of 36\n\nAttack platform PC/Android PC/Android PC/Android PC/Android/iOS\r\nProgramming\r\nlanguage\r\nC Delphi/c # Delphi Delphi/VB\r\nAttack vector\r\nSpear-phishing\r\nattack\r\nSocial networks, spear-phishing attackSocial\r\nnetwork\r\nSocial networks, spear-phishing attack\r\nIOC\r\nDocuments with InPage vulnerability\r\n863f2bfed6e8e1b8b4516e328c8ba41b\r\nce2a6437a308dfe777dec42eec39d9ea\r\n74aeaeaca968ff69139b2e2c84dc6fa6\r\nOffice vulnerability exploit documents\r\n61a107fee55e13e67a1f6cbc9183d0a4\r\nTrojans\r\nc3f5add704f2c540f3dd345f853e2d84\r\nf9aeac76f92f8b2ddc253b3f53248c1d\r\n8dda6f85f06b5952beaabbfea9e28cdd\r\n25689fc7581840e851c3140aa8c3ac8b\r\n1c2a3aa370660b3ac2bf0f41c342373b\r\n43920ec371fae4726d570fdef1009163\r\n694040b229562b8dca9534c5301f8d73\r\nfec0ca2056d679a63ca18cb132223332\r\nec834fa821b2ddbe8b564b3870f13b1b\r\n09d600e1cc9c6da648d9a367927e6bff\r\n91e3aa8fa918caa9a8e70466a9515666\r\n4f9ef6f18e4c641621f4581a5989284c\r\nafed882f6af66810d7637ebcd8287ddc\r\nC\u0026C\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 34 of 36\n\nkhurram.com.pk\r\nnethosttalk.com\r\nxiovo416.net\r\nnethosttalk.com\r\nnewmysticvision.com\r\nwcnchost.ddns.net\r\nreferfile.com\r\nerrorfeedback.com\r\nJospubs.com\r\ntraxbin.com\r\nreferfile.com\r\nReference\r\n[1]. https://ti.qianxin.com/\r\n[2]. http://www.inpage.com/\r\n[3]. https://en.wikipedia.org/wiki/InPage\r\n[4]. https://ti.qianxin.com/blog/articles/analysis-of-apt-campaign-bitter/\r\n[5]. https://www.anquanke.com/post/id/84910\r\n[6]. https://www.kaspersky.com/blog/inpage-exploit/6292/\r\n[7]. https://cloudblogs.microsoft.com/microsoftsecure/2018/11/08/attack-uses-malicious-inpage-document-and-outdated-vlc-media-player-to-give-attackers-backdoor-access-to-targets/\r\n[8]. https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html\r\n[9]. https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM-Part2.html\r\n[10]. https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/\r\n[11]. https://documents.trendmicro.com/assets/appendix-confucius-update-new-tools-techniques-connections-patchwork-updated.pdf\r\n[12]. https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 35 of 36\n\n[13]. https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/\r\n[14].\r\nhttps://www.virustotal.com/gui/file/9bf55fcf0a25a2f7f6d03e7ba6123d5a31c3e6c1196efae453a74d6fff9d43bb/submissions\r\nSource: https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-en\r\nglish/\r\nhttps://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/\r\nPage 36 of 36\n\nfunction pointer Let's look at the array according assignment and to Type2, and finally range of dword_656A28 calls the function in the figure to process above: data:\nType1 = ECX(0x1F8)\u003e\u003e2 = 0x7E(126), Type2 = EDI(0x72) :\n   Page 5 of 36\n\n https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/    \nIf the detection is in the virtual machine environment, the popover displays not a valid file and exits:\nIf the detection passes, \"SMTP Loader. LNK\" will be created in the directory of %Start% to achieve self-startup:\n   Page 20 of 36",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ti.qianxin.com/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/"
	],
	"report_names": [
		"analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english"
	],
	"threat_actors": [
		{
			"id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9",
			"created_at": "2022-10-25T16:07:23.38079Z",
			"updated_at": "2026-04-10T02:00:04.574399Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "ETDA:Bahamut",
			"tools": [
				"Bahamut",
				"DownPaper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "655f7d0b-7ea6-4950-b272-969ab7c27a4b",
			"created_at": "2022-10-27T08:27:13.133291Z",
			"updated_at": "2026-04-10T02:00:05.315213Z",
			"deleted_at": null,
			"main_name": "BITTER",
			"aliases": [
				"T-APT-17"
			],
			"source_name": "MITRE:BITTER",
			"tools": [
				"ZxxZ"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "f99641e0-2688-47b0-97bc-7410659d49a0",
			"created_at": "2023-01-06T13:46:38.802141Z",
			"updated_at": "2026-04-10T02:00:03.106084Z",
			"deleted_at": null,
			"main_name": "Bahamut",
			"aliases": [],
			"source_name": "MISPGALAXY:Bahamut",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8",
			"created_at": "2022-10-25T16:07:23.482856Z",
			"updated_at": "2026-04-10T02:00:04.627414Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"G0142"
			],
			"source_name": "ETDA:Confucius",
			"tools": [
				"ApacheStealer",
				"ByeByeShell",
				"ChatSpy",
				"Confucius",
				"MY24",
				"Sneepy",
				"remote-access-c3",
				"sctrls",
				"sip_telephone",
				"swissknife2"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8",
			"created_at": "2022-10-25T15:50:23.6515Z",
			"updated_at": "2026-04-10T02:00:05.352078Z",
			"deleted_at": null,
			"main_name": "Windshift",
			"aliases": [
				"Windshift",
				"Bahamut"
			],
			"source_name": "MITRE:Windshift",
			"tools": [
				"WindTail"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c",
			"created_at": "2022-10-25T15:50:23.472432Z",
			"updated_at": "2026-04-10T02:00:05.352882Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"Confucius",
				"Confucius APT"
			],
			"source_name": "MITRE:Confucius",
			"tools": [
				"WarzoneRAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "bf6cb670-bb69-473f-a220-97ac713fd081",
			"created_at": "2022-10-25T16:07:23.395205Z",
			"updated_at": "2026-04-10T02:00:04.578924Z",
			"deleted_at": null,
			"main_name": "Bitter",
			"aliases": [
				"G1002",
				"T-APT-17",
				"TA397"
			],
			"source_name": "ETDA:Bitter",
			"tools": [
				"Artra Downloader",
				"ArtraDownloader",
				"Bitter RAT",
				"BitterRAT",
				"Dracarys"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775792036,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ce361b368e7909b3a9376b399c79d34d0850571.pdf",
		"text": "https://archive.orkl.eu/3ce361b368e7909b3a9376b399c79d34d0850571.txt",
		"img": "https://archive.orkl.eu/3ce361b368e7909b3a9376b399c79d34d0850571.jpg"
	}
}