Thursday, December 5, 2024
Homecyber securityPatchwork Actors Using Weaponized Encrypted Zip Files to Attack Orgs

Patchwork Actors Using Weaponized Encrypted Zip Files to Attack Orgs

Published on

SIEM as a Service

The cyber espionage group Patchwork, also known by various aliases, has been active since 2009, primarily targeting Asian organizations in sectors such as government, military, and industry. 

Based in South Asia, the group has been conducting cyber-espionage campaigns for over a decade, and their activities have focused on compromising sensitive information from their targets, highlighting the group’s persistent threat to the region’s cybersecurity landscape.

Recently, a new variant was discovered that distributed two steganographic components for screenshotting and file information collection. While the Spyder downloader’s core functionality remains unchanged, the code structure and C&C communication format have been modified. 

- Advertisement - SIEM as a Service

The attack process involves the Spyder downloader remotely downloading encrypted ZIP packages containing subsequent components and executing them.

The steganographic components, hidden within the downloaded files, are used to capture screenshots and gather file information, potentially compromising sensitive data.

attack process of the Spyder downloader and the steganographic components 
attack process of the Spyder downloader and the steganographic components 

The samples indicate the presence of three potentially malicious files. “eac_launcher.exe” is a spyware downloader identified by its MD5 hash. “IntelPieService.exe” is a screenshot component that could be used for unauthorized data collection. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

“RstMwService.exe” is a file decryption component, suggesting its potential involvement in ransomware activities, which were compiled at various times between February and June 2024 and have been associated with malicious activities.

It disguises itself as a Word document and injects configuration data directly into the code, unlike previous versions that encrypted it, by utilizing traffic spoofing techniques to mimic traffic to legitimate websites like Google APIs and Github. 

 .text segments of multiple system DLLs
 .text segments of multiple system DLLs

It also attempts to tamper with system DLLs and schedules self-replication tasks. Communication with the command and control server (“C2”) involves sending a Base64-encoded JSON string with the machine’s unique identifier and a potentially version-related string. 

This initial contact determines if the downloader should gather information about the infected device and potentially download additional components. 

The malware first checks with the C2 server to see if it needs to collect device information. If yes, it collects the hostname, user ID, OS version, and antivirus information and sends it back. 

Then it enters a loop, generating fake traffic and querying the C2 server again, and if the response indicates new components, it extracts the download category, zip name, and password from the response. 

 contents of the middle field decrypting in CyberChef
 contents of the middle field decrypting in CyberChef

It constructs a download request and retrieves the zip file containing the components by extracting the components to a specific directory and executing them using CreateProcessW.  

Spyder Downloader, a tool used by Patchwork Group, delivers two steganographic components with separate functionalities. The first component, IntelPieService.exe, captures screenshots and sends them to a server, while the second component, RstMwService.exe, steals file information and stores it in a local database. 

According to the QiAnXin Threat Intelligence Center, both components share the same digital signature and are downloaded from different C2 servers, allowing attackers to selectively deploy follow-up components based on their targets. 

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

Latest articles

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...