📅 Sep 30, 2025 ✍️ Cybernoz 📁 GBHackers 💬 0 ⏱️ 4 min

Leveraging PowerShell to Create Scheduled Tasks and Deploy Final Payload


Patchwork, the advanced persistent threat (APT) actor also known as Dropping Elephant, Monsoon, and Hangover Group, has been observed deploying a new PowerShell-based loader that abuses Windows Scheduled Tasks to execute its final payload.

Active since at least 2015 and focused on political and military intelligence across South and Southeast Asia, Patchwork is renowned for its persistence, social engineering prowess, and its habit of repurposing and customizing existing tools rather than building new exploits from scratch.

In the latest campaign, targets receive a Microsoft Office document containing a malicious macro. When enabled, the macro downloads an LNK shortcut file that, once opened, executes a PowerShell script. This script:

Powershell Script.
  • Downloads an executable masquerading as vlc.exe into C:WindowsTaskslama, mimicking the legitimate VLC media player.
  • Retrieves a DLL named libvlc.dll—likely a fake library—to side-load alongside vlc.exe.
  • Fetches a decoy PDF from a malicious URL and places it in the Public Documents folder.
  • Creates a scheduled task called WindowsErrorReport that triggers vlc.exe on a regular interval.
  • Finally, it downloads and saves the APT’s final payload, a .NET-based executable compiled with MSIL.

Multi-Stage C2 Communication

Once the scheduled task launches vlc.exe, the loader’s fStage method initiates a secure channel with the attacker’s C2 server at Program.muri. It gathers system information, then:

  1. XORs the victim’s client ID with a hardcoded key (eOvstoxSBbZGWsTtknc) and Base64-encodes the result.
  2. Applies additional obfuscation via a custom Protean function.
  3. Sends the data over HTTPS using TLS 1.2 as a POST form (sosid and slid parameters).

The server’s response is Base64-decoded and XOR-decrypted with a session key to produce acc.xkey, stored for future encryption. If the fStage fails, it retries every five seconds, up to twenty attempts.

Next, the SStage method inventories the host:

  • Public IP via ipd()
  • OS version.
  • MAC address and username.
  • Working directory path.
  • Process ID and administrative privilege status.
  • Unique session ID.

Each datum is XOR-obfuscated, Base64-encoded, and scrambled with Protean before transmission. Simultaneously, the bkj method launches:

Send details to server.
Send details to server.
  • dsffds() collects installed applications via WMI (Win32_Product).
  • ghjk() enumerates antivirus products from the SecurityCenter2 namespace.

All collected data is similarly obfuscated and POSTed to the C2. On success, persistence is confirmed and error counters reset.

Command Retrieval and Exfiltration

The _getCommand function retrieves attacker instructions by masquerading traffic as legitimate web form POSTs (sltrg=pap).

After execution, the combined output and errors are appended to the response string, which is then sent back to the attacker’s command-and-control server using the _sendResult method.

Downloads the file.
Downloads the file.

Responses undergo regex cleanup, multi-layer Charm() deobfuscation, dual Base64 decoding, and XOR decryption with the session key to yield plaintext commands. Failures trigger up to twenty retry loops to maintain stealth.

To exfiltrate command outputs, the malware uses Scourgify encoding, attaches a unique victim ID, and dispatches results via POST. Retries of up to twenty cycles ensure reliable delivery without raising alerts.

Subsequent methods facilitate:

  • dfile: Downloads and decodes auxiliary files into a temporary directory.
  • ufile: Chunks large files into 1 MB segments, Base64-encodes, and streams them to the C2 in a stealthy, resumable fashion.
  • v_alloc: Allocates executable memory, copies payload bytes, and spawns a new thread to run in-memory code without disk artifacts.
  • scrt: Captures full-screen screenshots, uploads them to the server, and cleans up local copies after success.

Mitigations

Patchwork’s modular, multi-layered approach addressed the importance of robust endpoint defenses.

Enabling macros only from trusted sources, monitoring for unusual scheduled tasks (such as “WindowsErrorReport”), and enforcing application whitelisting can disrupt the loader’s execution chain.

Additionally, deploying a security solution like K7 Total Security with up-to-date signatures and behavior-based detection can identify and quarantine these PowerShell-based techniques before substantial data exfiltration occurs.

Staying vigilant and updating both operating systems and security software remain critical to thwarting Patchwork’s evolving arsenal.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.