Recent analyses by Cyble Research and Intelligence Labs (CRIL) have brought to light an ongoing cyber campaign orchestrated by the notorious Patchwork APT group. This campaign marks a new evolution in their tactics, leveraging a new backdoor dubbed “Nexe” to effectively evade detection mechanisms and execute sophisticated attacks, particularly against Chinese entities.
Known for its longstanding cyber espionage operations, the Patchwork APT group, also referred to as Dropping Elephant, has been active since 2009. Believed to originate from India, this group primarily targets high-profile organizations, including government and diplomatic entities in South and Southeast Asia.
Historically, the group has executed multiple campaigns against entities in China and Bhutan, showcasing a pattern of focused attacks on regions of geopolitical interest.
Overview of the Patchwork APT Group
As of July 2024, CRIL has been tracking the Patchwork APT’s activities, observing a noteworthy campaign that began on July 24. This involved the deployment of a malicious LNK file, likely disseminated through phishing emails, which serves as the initial infection vector.
The Patchwork APT campaign employs a seemingly innocuous LNK file named “COMAC_Technology_Innovation.pdf.lnk,” which lures victims by referencing the Commercial Aircraft Corporation of China. This tactic coincides with the 7th COMAC International Science and Technology Innovation Week, strategically aiming at organizations in aerospace and technology research.
Analysts from Aliyun have detailed the tactics employed in this campaign, further highlighting the sophistication of the Patchwork APT group’s strategies. In parallel, another LNK file titled “Large_Innovation_Project_for_Bhutan.pdf.lnk” targeted Bhutan, showcasing a proposal from the Adaptation Fund Board. This demonstrates the group’s adaptability in using region-specific decoys to increase the likelihood of successful phishing attempts.
Among the ongoing campaigns, a newly identified LNK file, “186523-pdf.lnk,” is linked to the Patchwork APT group’s operations. Upon execution, this file downloads two critical components: a harmless PDF meant to deceive the user and a malicious Dynamic Link Library (DLL) containing an encrypted shellcode. By employing DLL sideloading techniques, the malware disguises its malicious activities, utilizing the legitimate Windows system file “WerFaultSecure.exe” to load the DLL and execute its payload.
Once loaded, the DLL decrypts and executes the shellcode, which modifies key API functions like AMSIscanBuffer and ETWEventWrite, allowing the malware to operate undetected within the system. This methodical evasion of detection mechanisms highlights the advanced capabilities of the Patchwork APT group.
Technical Insights into the Attack
The LNK file, masquerading as a PDF, initiates a PowerShell script responsible for several malicious actions. The script first utilizes the “Invoke-WebRequest” command to download a seemingly innocent PDF from a specified URL and save it in the “C:\ProgramData” directory. However, this PDF is devoid of content, serving merely as a ruse.
Following this, the script fetches another file from the same domain, initially saving it as “hal” before renaming it to “wer.dll.” This strategic naming convention aligns with the DLL sideloading techniques employed by the Patchwork APT group, facilitating the malicious DLL’s execution while masking its true nature.
To ensure persistence within the compromised environment, the script creates a scheduled task named “EdgeUpdate,” configured to run the legitimate WerFaultSecure.exe at regular intervals. This tactic not only reinforces the malware’s presence but also complicates efforts to identify and neutralize the threat.
Once the malicious DLL is successfully loaded, it decrypts the embedded shellcode, meticulously crafted to bypass security mechanisms by patching specific bytes in critical API functions like AmsiScanString and AmsiScanBuffer. This approach enables the malware to execute without triggering alarms, demonstrating the Patchwork APT group’s adeptness at evading detection.
Upon loading its final payload into memory, the malware employs various functions to collect sensitive system information, such as the victim’s IP address, username, and device details. This data is subsequently encrypted using a combination of SHA256 hashing and the Salsa20 encryption algorithm, illustrating an evolution in the group’s encryption methods compared to previous campaigns.
The encrypted data is concatenated into a singular string and transmitted to a hardcoded command and control (C&C) server, specifically “iceandfire[.]xyz.” This method of data exfiltration allows the Patchwork APT group to maintain a foothold in the victim’s environment while harvesting valuable intelligence.
