Patchwork Actors Using Weaponized Encrypted Zip Files to Attack Orgs

The cyber espionage group Patchwork, also known by various aliases, has been active since 2009, primarily targeting Asian organizations in sectors such as government, military, and industry. 

Based in South Asia, the group has been conducting cyber-espionage campaigns for over a decade, and their activities have focused on compromising sensitive information from their targets, highlighting the group’s persistent threat to the region’s cybersecurity landscape.

Recently, a new variant was discovered that distributed two steganographic components for screenshotting and file information collection. While the Spyder downloader’s core functionality remains unchanged, the code structure and C&C communication format have been modified. 

The attack process involves the Spyder downloader remotely downloading encrypted ZIP packages containing subsequent components and executing them.

The steganographic components, hidden within the downloaded files, are used to capture screenshots and gather file information, potentially compromising sensitive data.

The samples indicate the presence of three potentially malicious files. “eac_launcher.exe” is a spyware downloader identified by its MD5 hash. “IntelPieService.exe” is a screenshot component that could be used for unauthorized data collection. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

“RstMwService.exe” is a file decryption component, suggesting its potential involvement in ransomware activities, which were compiled at various times between February and June 2024 and have been associated with malicious activities.

It disguises itself as a Word document and injects configuration data directly into the code, unlike previous versions that encrypted it, by utilizing traffic spoofing techniques to mimic traffic to legitimate websites like Google APIs and Github. 

It also attempts to tamper with system DLLs and schedules self-replication tasks. Communication with the command and control server (“C2”) involves sending a Base64-encoded JSON string with the machine’s unique identifier and a potentially version-related string. 

This initial contact determines if the downloader should gather information about the infected device and potentially download additional components. 

The malware first checks with the C2 server to see if it needs to collect device information. If yes, it collects the hostname, user ID, OS version, and antivirus information and sends it back. 

Then it enters a loop, generating fake traffic and querying the C2 server again, and if the response indicates new components, it extracts the download category, zip name, and password from the response. 

It constructs a download request and retrieves the zip file containing the components by extracting the components to a specific directory and executing them using CreateProcessW.  

Spyder Downloader, a tool used by Patchwork Group, delivers two steganographic components with separate functionalities. The first component, IntelPieService.exe, captures screenshots and sends them to a server, while the second component, RstMwService.exe, steals file information and stores it in a local database. 

According to the QiAnXin Threat Intelligence Center, both components share the same digital signature and are downloaded from different C2 servers, allowing attackers to selectively deploy follow-up components based on their targets. 

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial