Introduction
The cyber threat landscape is constantly evolving, with state-sponsored actors frequently refining their tactics to breach sensitive targets. One such group, known as Patchwork, has recently been linked to a cyberattack aimed at entities associated with Bhutan. This attack employed the Brute Ratel C4 framework and an updated version of the PGoShell backdoor, marking the first time Patchwork has been observed using this particular red teaming software. This article delves into the specifics of the attack, the history of Patchwork, and the broader implications of their latest operations.
Patchwork's New Tools: Brute Ratel C4 and PGoShell
Patchwork, also referred to by several aliases including APT-C-09, Dropping Elephant, and Viceroy Tiger, has a history of sophisticated cyber operations. Known to be state-sponsored and likely of Indian origin, Patchwork has been active since at least 2009. Historically, this group has conducted spear-phishing and watering hole attacks, particularly against targets in China and Pakistan.
The recent attack targeting Bhutan is significant as it marks the first recorded instance of Patchwork utilizing the Brute Ratel C4 framework. Additionally, an updated version of the PGoShell backdoor was deployed, showcasing the group's evolving capabilities. PGoShell, developed in the Go programming language, offers a robust set of functionalities including remote shell capabilities, screen capture, and the ability to download and execute additional payloads.
A History of Cyber Espionage
Patchwork has a well-documented history of cyber espionage activities. In July 2023, the Knownsec 404 Team revealed an espionage campaign targeting Chinese universities and research organizations. This campaign employed a .NET-based implant called EyeShell, which was capable of fetching and executing commands from a server controlled by the attackers, deploying additional payloads, and capturing screenshots.
Earlier in February 2024, Patchwork was found to be using romance-themed lures to compromise victims in Pakistan and India. These attacks involved the deployment of a remote access trojan known as VajraSpy, which was used to infiltrate Android devices.
The Latest Attack Chain
The most recent attack linked to Patchwork began with a Windows shortcut (LNK) file. This file was designed to download a decoy PDF document from a remote domain that impersonated the UNFCCC-backed Adaptation Fund. Simultaneously, it stealthily deployed the Brute Ratel C4 framework and PGoShell backdoor, retrieved from a different domain ("beijingtv[.]org").
This attack highlights Patchwork's continued focus on leveraging social engineering tactics to deceive targets and gain unauthorized access to systems. The use of the Brute Ratel C4 framework, a tool commonly associated with red teaming exercises, indicates a strategic shift towards more advanced methods of evading detection.
Tactical Overlaps and Related Threat Actors
Patchwork's operations are part of a broader pattern observed in the activities of several related threat actors. APT-K-47, another group with tactical overlaps with Patchwork, SideWinder, Confucius, and Bitter, has also been active in recent months. APT-K-47 was recently attributed to attacks utilizing ORPCBackdoor and previously undocumented malware like WalkerShell, DemoTrySpy, and NixBackdoor. These attacks have been characterized by the use of Nimbo-C2, an open-source command-and-control (C2) framework that enables a wide range of remote control functionalities.
Conclusion
The latest activities of Patchwork underscore the persistent and evolving nature of state-sponsored cyber threats. The group's adoption of new tools like the Brute Ratel C4 framework and the updated PGoShell backdoor indicates a commitment to enhancing their operational effectiveness and evading detection. As cyber threat actors continue to refine their techniques, organizations must remain vigilant, adopting robust cybersecurity measures to protect against these sophisticated threats. The ongoing monitoring of groups like Patchwork is crucial in understanding the ever-changing tactics employed by state-sponsored actors in the cyber domain.
0 Comments