In a recent development unveiled by Cyble Research and Intelligence Labs (CRIL), a groundbreaking cyber campaign conducted by the notorious Patchwork APT group has come to light. This campaign signifies a significant evolution in their tactics, utilizing a new backdoor named “Nexe” to navigate past detection mechanisms and carry out complex attacks, predominantly targeting Chinese entities.
The Patchwork APT group, also known as Dropping Elephant, has a history of engaging in cyber espionage activities dating back to 2009. Originating from India, this group has predominantly focused on infiltrating high-profile organizations, including government and diplomatic entities in South and Southeast Asia. Their previous campaigns have been notably directed towards entities in China and Bhutan, reflecting a consistent pattern of targeted attacks on regions of geopolitical significance.
As of July 2024, CRIL has been actively monitoring the Patchwork APT group’s activities, specifically observing a notable campaign initiated on July 24. This campaign commenced with the distribution of a malicious LNK file, likely propagated through phishing emails, serving as the initial point of entry for potential victims.
The tactics employed by the Patchwork APT group in this campaign are strategically designed to deceive and lure unsuspecting targets. By disguising the malicious LNK file as “COMAC_Technology_Innovation.pdf.lnk,” referencing the Commercial Aircraft Corporation of China, the group aimed to attract organizations involved in aerospace and technology research. The use of region-specific decoys, such as the LNK file “Large_Innovation_Project_for_Bhutan.pdf.lnk,” further illustrates the group’s adaptability in tailoring their attacks to increase the success rate of their phishing attempts.
One of the newly identified LNK files associated with the Patchwork APT group, “186523-pdf.lnk,” triggers the download of a benign PDF alongside a malicious Dynamic Link Library (DLL) containing encrypted shellcode upon execution. By employing DLL sideloading techniques, the malware camouflages its illegitimate activities, leveraging the legitimate Windows system file “WerFaultSecure.exe” to execute the payload without raising suspicion.
Upon decryption and execution of the shellcode by the DLL, key API functions are modified to evade detection mechanisms, allowing the malware to operate undetected within the infected system. This meticulous approach highlights the advanced capabilities and evasive strategies employed by the Patchwork APT group in executing their cyber espionage campaigns.
Delving deeper into the technical aspects of the attack, the malicious LNK file, disguised as a PDF, triggers a PowerShell script responsible for executing various malicious actions. The script downloads a seemingly innocuous PDF followed by a file renamed to “wer.dll” using DLL sideloading tactics to facilitate its execution while concealing its true nature.
To ensure persistence within the compromised environment, the script establishes a scheduled task named “EdgeUpdate,” configured to run the legitimate WerFaultSecure.exe at regular intervals. This method enhances the malware’s longevity and complicates detection and mitigation efforts by security teams.
Furthermore, the malware collects sensitive system information post-infection, encrypting it using advanced hashing and encryption algorithms before transmitting it to a predetermined command and control server. This data exfiltration mechanism enables the Patchwork APT group to maintain control over the compromised environment while extracting valuable intelligence.
In conclusion, the recent cyber campaign orchestrated by the Patchwork APT group signifies a new era in cyber espionage tactics, characterized by sophisticated evasion techniques and targeted attacks against entities of strategic interest. The group’s adeptness at adapting their strategies and evading detection underscores the need for robust cybersecurity measures to mitigate the risks posed by such advanced threat actors in the digital landscape.