cyble.com
Open in
urlscan Pro
192.0.78.152
Public Scan
URL:
https://cyble.com/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/
Submission: On October 01 via api from IT — Scanned from IT
Submission: On October 01 via api from IT — Scanned from IT
Form analysis 4 forms found in the DOM
POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" class="no-border-radius has-ast-global-color-6-border-color" style="font-size: 16px;padding: 10px 15px 10px 15px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;"
placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field.">
</p>
<p id="subscribe-submit" style="width: ;max-width: 100%;">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="">
<input type="hidden" name="redirect_fragment" value="subscribe-blog">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="6828e0d5d0"><input type="hidden" name="_wp_http_referer" value="/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/"><input type="hidden" name="post_id"
value="64292"> <button type="submit" class="wp-block-button__link no-border-radius has-ast-global-color-6-border-color"
style="background: #cc0000;width: 100%;font-size: 16px;padding: 10px 15px 10px 15px;margin: 0; margin-left: 10px;border-color: ast-global-color-6;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe Now <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form>GET https://cyble.com/
<form class="search-form" action="https://cyble.com/" method="get" data-hs-cf-bound="true" data-cb-wrapper="true">
<fieldset>
<span class="text">
<label for="search-field" class="screen-reader-text">Begin Search...</label>
<input id="search-field" name="s" class="search-field" autocomplete="off" type="text" value="" placeholder="Begin Search..." tabindex="1">
</span>
<button aria-label="Search" id="search_submit" class="button search-submit" tabindex="2"><i class="astra-search-icon"> <span class="ast-icon icon-search"></span> </i></button>
</fieldset>
</form>POST https://wordpress.com/email-subscriptions
<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="221651828" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog-2" data-hs-cf-bound="true" data-cb-wrapper="true">
<div class="wp-block-jetpack-subscriptions__form-elements">
<p id="subscribe-email">
<label id="subscribe-field-2-label" for="subscribe-field-2" class="screen-reader-text"> Type your email… </label>
<input required="required" type="email" name="email" style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 50px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field-2" title="Please fill in this field.">
</p>
<p id="subscribe-submit">
<input type="hidden" name="action" value="subscribe">
<input type="hidden" name="blog_id" value="221651828">
<input type="hidden" name="source" value="https://cyble.com/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/">
<input type="hidden" name="sub-type" value="subscribe-block">
<input type="hidden" name="app_source" value="atomic-subscription-modal-lo">
<input type="hidden" name="redirect_fragment" value="subscribe-blog-2">
<input type="hidden" name="lang" value="en_US">
<input type="hidden" id="_wpnonce" name="_wpnonce" value="6828e0d5d0"><input type="hidden" name="_wp_http_referer" value="/blog/nexe-backdoor-unleashed-patchwork-apt-groups-sophisticated-evasion-of-defenses/"><input type="hidden" name="post_id"
value="64292"> <button type="submit" class="wp-block-button__link" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 50px;border-width: 1px;" name="jetpack_subscriptions_widget"> Subscribe <span
class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
<path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
<path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
</svg></span></button>
</p>
</div>
</form><form id="jp-carousel-comment-form" data-hs-cf-bound="true" data-cb-wrapper="true">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
Skip to content
* Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, GitLab and
Microchip
Report an Incident
Talk to Sales
We are Hiring!
Login
Login
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* AI-Driven SolutionsMenu Toggle
* Attack Surface ManagementNew Features
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive
Dark Web Monitoring.
* Menu ItemMenu Toggle
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Third Party Risk Management
Identify, assess, and mitigate risks arising from interactions with third
parties. TPRM ensures that your business remains secure while
collaborating with external entities.
* Digital Forensics & Incident Response
At Cyble, we provide comprehensive Digital Forensics and Incident
Response (DFIR) services to help businesses effectively manage, mitigate,
and recover from cybersecurity incidents.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare Cyble
Learn why Cyble is a key differentiator when it comes to proactive
cybersecurity.
Menu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
Menu Toggle
* External Threat Assessment ReportDownload Report
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
Book a Demo
Book a Demo
Main Menu
* ProductsMenu Toggle
* For Enterprises(B2B) and GovernmentsMenu Toggle
* AI-Driven Cybersecurity Platforms
* Cyble VisionFor Enterprises
Award-winning cyber threat intelligence platform, designed to provide
enhanced security through real-time intelligence and threat detection.
* Cyble HawkFor Federal Bodies
Protects sensitive information and assets from cyber threats with its
specialized threat detection and intelligence capabilities built for
federal bodies.
* For Enterprises(B2B) and Individuals(B2C)Menu Toggle
* AmIBreached
Enables consumers and organizations to Identify, Prioritize and Mitigate
darkweb risks.
* Odin by CybleNew
The most advanced internet-scanning tool in the industry for real-time
threat detection and cybersecurity
* The Cyber ExpressSubscribe
#1 Trending Cyber Security News and Magazine
* We’ve just released an update!
Cyble has an update that enhances ASM, CTI and more...
Menu Toggle
* Schedule a Demo
* SolutionsMenu Toggle
* Detect > Validate > CloseMenu Toggle
* AI-Driven SolutionsMenu Toggle
* Attack Surface ManagementNew Features
Ensure digital security by identifying and mitigating threats with
Cyble's Attack Surface Management
* Brand Intelligence
Comprehensive protection against online brand abuse, including brand
impersonation, phishing, and fraudulent domains.
* Cyber Threat Intelligence
Gain insights and enhance your defense with AI-driven analysis and
continuous threat monitoring
* Dark Web Monitoring
Stay vigilant and ahead of cybercriminals with Cyble's comprehensive
Dark Web Monitoring.
* Menu ItemMenu Toggle
* Vulnerability Management
Advanced scanning, risk evaluation, and efficient remediation strategies
to protect against cyber threats.
* Takedown and Disruption
Combat online fraud and cybercrime by removing fraudulent sites and
content, and disrupting malicious campaigns with #1 takedown services by
Cyble.
* Third Party Risk Management
Identify, assess, and mitigate risks arising from interactions with third
parties. TPRM ensures that your business remains secure while
collaborating with external entities.
* Digital Forensics & Incident Response
At Cyble, we provide comprehensive Digital Forensics and Incident
Response (DFIR) services to help businesses effectively manage, mitigate,
and recover from cybersecurity incidents.
* Solutions by Industry
Menu Toggle
* Healthcare & Pharmaceuticals
* Financial Services
* Retail and CPG
* Technology Industry
* Educational Platform
* Solutions by Role
Menu Toggle
* Information Security
* Corporate Security
* Marketing
* Why Cyble?Menu Toggle
* Compare Cyble
Learn why Cyble is a key differentiator when it comes to proactive
cybersecurity.
Menu Toggle
* Industry RecognitionAwards
* Customer Stories
* ResourcesMenu Toggle
* Thought LeadershipMenu Toggle
* Blog
Discover the latest in cybersecurity with Cyble's blog, featuring a
wealth of articles, research findings, and insights. CRIL is an
invaluable resource for anyone interested in the evolving world of cyber
threats and defenses, offering expert analysis and updates.
* Threat Actor Profiles
* SAMA Compliance
* Events
Conferences, Webinars, Training sessions and more…
* Knowledge Hub
Cyble's Knowledge Hub is a central resource for current cybersecurity
trends, research, and expert opinions.
Menu Toggle
* Case Studies
Dive into Cyble's case studies to discover real-world applications of
their cybersecurity solutions. These studies provide valuable insights
into how Cyble addresses various cyber threats and enhances digital
security for different organizations.
* Research Reports
* Country Reports
* Industry Reports
* Ransomware Reports
* WhitepapersDownload
* Research ReportsLatest Report
Menu Toggle
* Free Tools
* Scan The Dark Web
* Scan The Internet
Menu Toggle
* External Threat Assessment ReportDownload Report
* CompanyMenu Toggle
* Our Story
Learn about Cyble's journey and mission in the cybersecurity landscape.
Menu Toggle
* Leadership Team
Meet our leadership team.
* CareersWe are hiring!
Explore a career with Cyble and contribute to cutting-edge cybersecurity
solutions. Check out Cyble's career opportunities.
* Press
* PartnersMenu Toggle
* Cyble Partner Network (CPN)Join Us
Join Cyble's Partner Network to collaborate and innovate in cybersecurity.
This platform offers unique opportunities for partnerships, fostering
growth and shared success in tackling cyber threats together.
Menu Toggle
* Partner Login
* Become a PartnerRegister
Elevate your cybersecurity business with the Cyble Partner Network:
Access cutting-edge tools, expert support, and growth opportunities.
Ideal for MSSPs, resellers, and alliances.
TRENDING
TARGETED INDUSTRIES -> IT & ITES | Government & LEA | Technology | Healthcare |
BFSITARGETED COUNTRIES -> United States | Russian Federation | China | United
Kingdom | GermanyTARGETED REGIONS -> North America (NA) | Europe & UK | Asia &
Pacific (APAC) | Middle East & Africa (MEA) | Australia and New Zealand
(ANZ)IOCs -> a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 |
7bdbd180c081fa63ca94f9c22c457376 |
c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0 |
8c69830a50fb85d8a794fa46643493b2 | bbcf7a68f4164a9f5f5cb2d9f30d9790CVEs ->
CVE-2024-21887 | CVE-2023-46805 | CVE-2017-11882 | CVE-2024-21893 |
CVE-2021-44228TECHNIQUES -> T1082 | T1140 | T1486 | T1083 | T1105TACTICS ->
TA505 | TA0011 | TA0002 | TA453 | TA0005TAGS -> security | the-cyber-express |
firewall-daily | the-cyber-express-news | malwareTHREAT ACTORS -> Lockbit |
Blackcat | Lazarus | VoltTyphoon | KimsukyMALWARE -> CobaltStrike | Qakbot |
Icedid | Trickbot | XmrigSOURCES -> Darkreading | The Cyber Express |
Bleepingcomputer | The Hacker News | Infosecurity Magazine
Home » Blog » Nexe Backdoor Unleashed: Patchwork APT Group’s Sophisticated
Evasion of Defenses
* APT, Cybercrime
* September 26, 2024
NEXE BACKDOOR UNLEASHED: PATCHWORK APT GROUP’S SOPHISTICATED EVASION OF DEFENSES
Cyble analyzes an ongoing Patchwork APT campaign using a new backdoor that
employs API patching to bypass security alerts.
KEY TAKEAWAYS
* Cyble Research and Intelligence Labs (CRIL) recently encountered an ongoing
campaign associated with the Patchwork APT group, which is likely aimed at
Chinese entities.
* This campaign continues the trend of the Patchwork APT group, which has
previously targeted entities in China and Bhutan.
* The threat actors (TAs) have utilized a malicious LNK file, likely
originating from a phishing email, as the initial infection vector. This file
executes a PowerShell script that downloads two files: a seemingly innocuous
PDF intended to lure the user and a malicious Dynamic Link Library (DLL).
* This campaign employs DLL sideloading techniques to execute the downloaded
DLL using the legitimate system file “WerFaultSecure.exe,” thereby
obfuscating malicious activity.
* The loaded DLL decrypts and executes shellcode that modifies the
AMSIscanBuffer and ETWEventWrite APIs. This manipulation aims to evade
detection mechanisms, allowing the malware to operate stealthily within the
compromised system.
* The shellcode is subsequently used to decrypt and execute the final payload,
stealing sensitive information from the victim’s machine.
OVERVIEW
Patchwork, also known as Dropping Elephant, is a highly active advanced
persistent threat (APT) group that has been engaged in cyber espionage
operations since 2009. Believed to be based in India, this group primarily
targets high-profile organizations such as government, defense, and diplomatic
entities across South and Southeast Asia.
Cyble Research and Intelligence Labs (CRIL) has been closely monitoring the
activities of the Patchwork APT group since July 2024. On July 24, 2024, CRIL
observed a campaign related to Patchwork APT. By pivoting through the pattern of
files, CRIL observed several files associated with two major Patchwork APT
campaigns: the first targeting Bhutan and the second targeting Chinese entities.
Campaign Targeting China
This campaign involves a malicious LNK file titled
“COMAC_Technology_Innovation.pdf.lnk,” which references the Commercial Aircraft
Corporation of China and specifically targets Chinese entities. This lure
capitalizes on the 7th COMAC International Science and Technology Innovation
Week, with TAs leveraging this event to focus on organizations in the aerospace,
technology research, and government sectors, thereby increasing the success rate
of their phishing campaign. Researchers from Aliyun have analyzed this campaign
and published their findings in a blog post detailing the tactics used by
Patchwork.
Campaign targeting Bhutan
Another notable campaign by this group observed in the same month targeted
Bhutan with a file named ‘Large_Innovation_Project_for_Bhutan.pdf.lnk.’ This
decoy document features a project proposal for Bhutan from the Adaptation Fund
Board.
Ongoing Campaign
Among these, a newly identified LNK file, “186523-pdf.lnk”, appears to be linked
to an ongoing campaign of the Patchwork group. This same sample was also shared
by researcher Ginkgo and StrikeReady Labs on X (formerly Twitter).
When the malicious LNK file gets executed, this file downloads two components: a
lure PDF and a malicious DLL containing encrypted shellcode. Additionally, it
copies a system file from the victim’s machine, which is then leveraged to
sideload the malicious DLL. This DLL then decrypts and executes the final
payload directly in memory. The malware collects system information, such as the
Process ID, public and private IP addresses, usernames, and more. Then, it
transmits this data to the command and control (C&C) server, enabling further
malicious activities, as shown in the image below.
This variant seems to be new compared to the payloads observed in previous
campaigns. For tracking purposes, we are naming the malware “Nexe” Backdoor, as
the string “Nexe” was found hardcoded in the binary used for C&C communication.
Figure 1 – Infection chain
Notably, this campaign lacks specific targets, as the lure consists of plain,
empty PDF. However, the names of the payload servers used in this campaign, such
as shianchi[.]scapematic.info and jihang[.]scapematic.info suggests that Chinese
entities are likely being targeted. Typically, the Patchwork group’s payload
server names are associated with the country they are focusing on.
TECHNICAL DETAILS
The LNK file, disguised as a PDF, contains a PowerShell script that carries out
several malicious actions. The image below shows its contents.
Figure 2 – LNK file content
The script first uses an “Invoke-WebRequest” command to download a file from the
URL “hxxps://jihang[.]scapematic[.]info/eqhgrh/uybvjxosg” and saves it as a PDF
in the “C:\ProgramData” directory. This PDF file appears to be the lure
document, but in this case, it contains no content and is simply a plain, empty
PDF.
Next, the script downloads another file from a different URL on the same domain,
“hxxps://shianchi[.]scapematic[.]info/jhgfd/jkhxvcf,” saving it initially as
“hal” in the “C:\ProgramData” directory. It then renames the file to “wer.dll”
in the same location.
The script proceeds to copy the Windows system file “WerFaultSecure.exe” from
“C:\Windows\System32” to “C:\ProgramData”, likely to facilitate DLL sideloading.
The image below shows the downloaded files on the victim’s machine.
Figure 3 – Downloaded files
Finally, it creates a scheduled task named “EdgeUpdate” to run
“WerFaultSecure.exe” at regular intervals, ensuring persistence on the
compromised system. The image below shows the scheduled task created on the
system.
Figure 4 – Task Scheduler to execute the WerFaultSecure.exe
DLL SIDELOADING
Threat actors leveraged the DLL sideloading technique to load the malicious DLL
file using the legitimate WerFaultSecure.exe, as shown in the image below.
Figure 5 – DLL sideloading
After the DLL is successfully loaded, it decrypts the encrypted shellcode within
it and writes the decrypted content into the memory of the WerFaultSecure
process, as shown in the image below.
Figure 6 – Writing decrypted content in WerFaultSecure address space
BYPASSING SECURITY MECHANISMS VIA MEMORY PATCHING
The injected shellcode is crafted to circumvent AMSI and Microsoft’s event
tracking systems by patching specific bytes in the EtwEventWrite,
AmsiScanString, and AmsiScanBuffer APIs, as shown in the images below.
Figure 7 – Patching Security Tool APIs
Once the shellcode overwrites these APIs, it creates a section object from the
previously decrypted content and maps it into the address space of
WerFaultSecure. This allows the final VC++ compiled payload to execute without
triggering any security alerts.
FINAL PAYLOAD
Once the payload is successfully loaded into memory, it utilizes the
LoadLibraryW() API to load the necessary modules for execution, as shown in the
image below.
Figure 8 – Loading required modules for execution
After loading the necessary modules, the malware creates a mutex named “dsds” to
ensure that only one instance of the malware runs on the victim’s system at a
time, as shown in the figure below.
Figure 9 – Mutex Creation
After creating the mutex, the malware retrieves a handle to the console window
associated with the calling process. It then hides the console window and
continues running in the background.
Figure 10 – Hiding the console window
The malware then utilizes the GetAdaptersInfo() and GetHostName() functions to
collect information about the network adapters and the device name on the
compromised machine, as shown in the image below.
Figure 11 – Fetching system network adapter details
The malware queries https://myexternalip.com/raw using a specific user agent to
obtain the victim’s public IP address, as demonstrated in the image below.
Figure 12 – Malware retrieving public IP
After gathering key system details, including the MAC address, username, and IP
address, the malware computes the SHA256 hash for these values before further
encryption, as shown in the image below.
Figure 13 – Generating SHA256
After generating the hash, the malware encodes it into Base64 format. The
resulting data then enters another encryption loop using the Salsa20 algorithm,
which represents a change from the previous encryption method used in prior
campaigns. This is followed by an additional round of Base64 encoding. The
figure below shows the encryption code with key and nonce.
Figure 14 – Salsa20 Encryption
In addition to the previously mentioned details, including the MAC address,
username, and IP address, the malware also retrieves and encrypts the following
information using the same sequence: it first converts the data into Base64
format, then applies the Salsa20 encryption algorithm and finally encodes it
again in Base64:
* Process ID
* Local IP address
* Windows version
* Username
* Hardcoded user-agent string
Each piece of encrypted system information is concatenated and separated by the
“$” symbol. The image below displays the encrypted system information.
Figure 15 – Encrypted System information
The encrypted data corresponds to the following fields:
* MAC address $ username $ public IP address $ private IP address $ Windows
version $ username $ Process ID $ Nexe (hardcoded string) $ User-agent string
Using the final generated string, the malware initiates an HTTP request to a
hardcoded domain, “iceandfire[.]xyz,” which is embedded in the code, as
illustrated in the image below.
Figure 16 – Sending request
After constructing the HTTP request, the malware transmits encrypted data to its
C&C server. However, since the C&C was not active during the analysis, we
couldn’t fully assess its behavior. Despite this, following the POST request,
the malware creates two threads capable of performing various tasks, as shown in
the image below.
Figure 17 – Creation of Threads
The thread extracts partial content from the initially generated string, which
includes the encrypted MAC address, username, and public IP address of the
victim’s machine, and attempts to send this data to the same domain.
Figure 18 – Thread sending a request to C&C
The threads read the server’s response following the request and then compare
the response with the following values:
* upload
* uplexe
* download
* filelist
* screenshot
This comparison helps the thread to determine the actions or commands that it
should execute in the system.
CONCLUSION
The ongoing evolution and enhancement of the Patchwork APT group’s malware
capabilities highlight their commitment to remaining at the forefront of
espionage and cyber operations. The latest attack exemplifies their ability to
evade security alerts and execute malicious files directly in memory, showcasing
a sophisticated approach that underscores their adaptability and resourcefulness
in the ever-changing landscape of cybersecurity threats. This adaptability not
only enables them to bypass traditional defenses but also poses significant
challenges for organizations seeking to protect themselves from such advanced
tactics.
RECOMMENDATIONS
* The initial breach may occur via spam emails. Therefore, it’s advisable to
deploy strong email filtering systems to identify and prevent the
dissemination of harmful attachments.
* When handling email attachments or links, particularly those from unknown
senders, exercising caution is crucial. Verify the sender’s identity,
particularly if an email seems suspicious.
* Consider disabling or limiting the execution of scripting languages on user
workstations and servers if they are not essential for legitimate purposes.
* Restrict the execution of WerFaultSecure.exe to its designated location to
prevent unauthorized execution from other directories.
* Use a reputed anti-virus and internet security software package on your
connected devices, including PC, laptop, and mobile.
* Monitor the beacon on the network level to block data exfiltration by malware
or TAs.
MITRE ATT&CK® TECHNIQUES
Tactic Technique ID Technique Name Initial Access (TA0027)Phishing
(T1660)Malware distribution via phishing siteExecution (TA0002) User Execution
(T1204)Manual execution by the userDefense Evasion (TA0005)Masquerading
(T1036.008)LNK file disguised as a legitimate PDF file Privilege
Escalation
(TA0004) DLL Side-Loading (T1574.002) Adversaries may execute their own
malicious payloads by side-loading DLLs.Privilege
Escalation
(TA0004) Process Injection (T1055)Injects malicious code into
werfaultsecure.exeDiscovery
(TA0007) System Information Discovery (T1082)Queries the system
information C&C
(TA0011) Application Layer Protocol
(T1071) Malware exe communicate to C&C server. Exfiltration (TA0010)Exfiltration
Over C2 Channel (T1041) Exfiltration Over C2 Channel
INDICATORS OF COMPROMISE (IOCS)
Indicators Indicator
Type Description d7b278d20f47203da07c33f646844e74cb690ed802f2ba27a74e216368df7db9SHA256Malicious
LNK
fileba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e31SHA256Malicious
DLL
filefe503708d7969e65e9437b56b6559bc9b6bb7f46f3be5022db9406579592670dSHA256Decoy
PDFf6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58
14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a
c3805b8b37eb1ba34057cd6c882dc9bedcebc01ec90a6d4be8d0f6fc82859ecbSHA256Lnk used
to target
Bhutanc6398b5ca98e0da75c7d1ec937507640037ce3f3c66e074c50a680395ecf5eaeSHA256Lnk
targeting Chinese entitieshxxps://shianchi[.]scapematic[.]info/jhgfd/jkhxvcf
hxxps://jihang[.]scapematic[.]info/eqhgrh/uybvjxosgURLremote
serverIceandfire[.]xyzDomainC&C Server
YARA RULE
rule Nexe_Backdoor
{
meta:
author = “Cyble Research and Intelligence Labs”
description = “Detects Malicious Backdoor used in the latest Patchwork
APTcampaign”
date = “2024-09-26”
os = “Windows”
reference_sample =
“ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e3”
strings:
$a = “WerSysprepCleanup”
$b = “WerpSetReportFlags”
$c = “WriteProcessMemory”
$d = “VirtualAllocEx”
$e = “Release\\AESC.pdb”
condition:
uint16(0) == 0x5A4D and all of them
}
REFERENCES
https://xz-aliyun-com.translate.goog/t/15376?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc&u_atoken=0ce0739e487564fbf9e5b5ed29c0687a&u_asig=1a0c384b17265708412575151e0042&decode__2803=eqIxcD0DBD9Q0%3DXxGNne4mhOzdD%3D3hKH4D
RELATED
SHARPPANDA APT CAMPAIGN EXPANDS ITS ARSENAL TARGETING G20 NATIONS
Cyble analyzes SharpPanda, a highly sophisticated APT group utilizing
spear-phishing tactics to launch cyberattacks on G20 Nation officials.
June 1, 2023
In "APT"
A DEEP DIVE INTO PATCHWORK APT GROUP
The Patchwork APT group, also known as Dropping Elephant, Chinastrats, Monsoon,
Sarit, Quilted Tiger, APT-C-09, and ZINC EMERSON, was first discovered
in December 2015. This cyber espionage group targets multiple
high-profile Diplomats and economists having foreign relations with China, using
a custom set of attack tools. The attacks were generally made through spear
phishing campaign or watering hole attacks. This group is suspected to be
run by an India based threat actor targeting foreign embassies and diplomatic
offices in Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan,
Australia, and the U.S. At the…
January 20, 2021
With 8 comments
UNC1151 STRIKES AGAIN: UNVEILING THEIR TACTICS AGAINST UKRAINE’S MINISTRY OF
DEFENCE
Cyble analyzes a malware campaign targeting Ukraine's Ministry of Defence
orchestrated by the UNC1151 APT group, also exposing their tactics in the
process.
June 4, 2024
In "APT"
Technical Content! Subscribe to Unlock
Sign up and get access to Cyble Research and Intelligence Labs' exclusive
contents
Email
Country
Phone
Unlock this Content
GET THREAT ASSESSMENT REPORT
Identify External Threats Targeting Your Business
Get My Report
Free
CISO’S GUIDE TO THREAT INTELLIGENCE 2024: BEST PRACTICES
Stay Ahead of Cyber Threats with Expert Insights and Strategies. Download Free
E-Book Now
Search for your darkweb exposure
Use Cyble's Largest Dark Web Monitoring Engine to Assess Your Exposure. Make
Sure You're Aware of the Risks by Searching Through Our 150,447,938,145 Records!
We Have Over 50,000 Data Breaches, Several Hacking Forums, Conversations
Indexed.
Download Now
Cybercrime Magazine · AI's Impact On Cybersecurity. Microsoft Recall & Beyond.
Beenu Arora, Co-Founder & CEO, Cyble.
Business Email Address*
Type your email…
Subscribe Now
Share the Post:
PrevPreviousDeluge of Threats to Water Utilities: Plugging the Leaks in
Operational Technology Security
NextTop ICS Vulnerabilities This Week: Cyble Urges Siemens and Rockwell
Automation FixesNext
RELATED POSTS
WEEKLY IT VULNERABILITY REPORT: CYBLE URGES FIXES FOR IVANTI, GITLAB AND
MICROCHIP
October 1, 2024
CYBLE HONEYPOT SENSORS DETECT WORDPRESS PLUGIN ATTACK, NEW BANKING TROJAN
October 1, 2024
QUICK LINKS
Main Menu
* Home
* About Us
* Blog
* Cyble Partner Network (CPN)
* Press
* Responsible Disclosure
* Knowledge Hub
* Sitemap
PRODUCTS
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Hawk
* Cyble Odin
* The Cyber Express
SOLUTIONS
Main Menu
* Attack Surface Management
* Brand Intelligence
* Cyber Threat Intelligence
* Dark Web Monitoring
* Takedown and Disruption
* Vulnerability Management
PRIVACY POLICY
Main Menu
* AmIBreached
* Cyble Vision
* Cyble Trust Portal
SCHEDULE A PERSONALIZED DEMO TO UNCOVER THREATS THAT NO ONE TELLS YOU
Book a Demo
© 2024. Cyble Inc.(Leading Cyber Threat Intelligence Company). All Rights
Reserved
Twitter Linkedin Youtube
Request a demo
Upcoming Events
Research Reports
Talk To Sales
START TYPING AND PRESS ENTER TO SEARCH
Begin Search...
DISCOVER MORE FROM CYBLE
Subscribe now to keep reading and get access to the full archive.
Type your email…
Subscribe
Continue reading
Scroll to Top
Loading Comments...
Write a Comment...
Email Name Website
We use cookies to ensure that we give you the best experience on our website. If
you continue to use this site we will assume that you are happy with it.Ok
Stay ahead in Cybersecurity with Cyble Research. You can unsubscribe at any
time.
AllowCancel
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our 19 advertising partners use cookies and
similar technologies on this site and use personal data (e.g., your IP address).
If you consent, the cookies, device identifiers, or other information can be
stored or accessed on your device for the purposes described below. You can
click "Allow All" or "Decline All" or click Settings above to customise your
consent regarding the purposes and features for which your personal data will be
processed and/or the partners with whom you will share personal data.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalised content profile; ●
Select personalised content; ● Personalised advertising, advertising
measurement, audience research and services development; ● Services development.
For some of the purposes above, our advertising partners: ● Use precise
geolocation data. Some of our partners rely on their legitimate business
interests to process personal data. View our advertising partners if you wish to
provide or deny consent for specific partners, review the purposes each partner
believes they have a legitimate interest for, and object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences