July 24, 2024 at 06:36AM
Patchwork, a threat actor linked to cyber attacks targeting entities connected to Bhutan, has utilized the Brute Ratel C4 framework and an updated backdoor, PGoShell. Known as APT-C-09, the state-sponsored actor has a history of conducting spear-phishing and watering hole attacks against China and Pakistan. Additionally, Patchwork has employed romance-themed lures and a remote access trojan called VajraSpy.
Key takeaways from the meeting notes on cyber espionage/threat intelligence:
1. The threat actor Patchwork has been linked to cyber attacks targeting entities with ties to Bhutan, using Brute Ratel C4 framework and an updated version of a backdoor called PGoShell.
2. Knownsec 404 Team analysis indicates Patchwork’s first-time use of red teaming software.
3. The activity cluster, also known as APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor likely of Indian origin, known for targeting China and Pakistan since at least 2009.
4. Patchwork previously employed a .NET-based implant called EyeShell in an espionage campaign against universities and research organizations in China.
5. Recent attacks by Patchwork involved romance-themed lures to compromise Android devices with a remote access trojan dubbed VajraSpy in Pakistan and India.
6. The latest observed attack chain involves a Windows shortcut (LNK) file designed to download a decoy PDF document from a remote domain impersonating the UNFCCC-backed Adaptation Fund, while deploying Brute Ratel C4 and PGoShell from a different domain (“beijingtv[.]org”).
7. APT-K-47, another threat actor, was attributed to attacks using ORPCBackdoor and previously undocumented malware to harvest data and execute shellcode, also deploying an open-source command-and-control (C2) framework known as Nimbo-C2.
For more exclusive content, follow the organization on Twitter and LinkedIn.