Advanced Threat Intelligence Team, Knownsec 404 has recently discovered a potential Bhutan-targeted attack by the Patchwork group that has employed an advanced Go backdoor and the Brute Ratel C4 red team tool for the first time.
The vector of the attack is an illusionary PDF link file that downloads decoy files as well as payloads.
This shows how Patchwork has updated its arsenal significantly to address technological progress made over the last couple of years, and this evolution upgraded its arsenal with the advanced PGoShell.
Patchwork Hackers Upgraded Their Arsenal
Since 2014, this APT group has been functioning mainly against government, defense, diplomatic, and research organizations in East and South Asia. More than ten trojans and loading methods have been observed so far.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
They also use deceptive LNK files for the attack. It downloads a decoy PDF targeting Bhutan-related organizations, retrieves the following two payloads from a domain impersonating Beijing TV, and creates scheduled tasks:-
.webp "Patchwork Hackers Upgraded Their Arsenal With Advanced PGoShell 2")
The Themida-packed edputil.dll is the loader for Brute Ratel C4 that uses anti-debugging techniques as well as custom API calling methods.
.webp "Patchwork Hackers Upgraded Their Arsenal With Advanced PGoShell 3")
The final payload, Brute Ratel C4, loads into chakra.dll after performing time-based checks.
This red team framework, which is an alternative to Cobalt Strike, has features such as file management, port scanning, and screen capture that show how sophisticated the attack was and how the threat actor’s tactics are changing.
The Go-Based malware, codenamed PGoShell by the patchwork APT has grown a lot and now incorporates various features including remote shell, screen capture, and payload execution.
RC4 encryption is used as well as base64 encoding for data obfuscation.
Extensive information about the host is gathered by this malware such as IP geolocation through ip-api.com whereas HKCUSoftwareMicrosoftWinTemp is used for persistence.
In one recent attack on Bhutan-related entities, Patchwork employed Brute Ratel C4, it’s a red team framework that costs $3000 and utilizes pure in-memory loading, anti-debugging, unhooking techniques, etc to bypass detection.
.webp "Patchwork Hackers Upgraded Their Arsenal With Advanced PGoShell 4")
The LNK file was misleadingly named so that it appeared like PDF information concerning the Adaptation Fund Board project.
With this adoption of Brute Ratel C4 and upgrading PGoShell, Patchwork seems to indicate an increasingly fast-changing modus operandi with regard to cyber operations, consequently further making their past achievements possible and future threats likely.
IoCs
C2:-
- Beijingtv[.]org
- Cartmizer[.]info
- longwang.b-cdn[.]net
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.