Recently, the KNOWNSEC 404 Advanced Threat Intelligence team revealed the suspicious activity of the Patchwork group, targeting Butane. The attack involved the use of an updated Backdoor in the GO language, known as Pgoshell, as well as a new hacking tool called Brute Ratel C4. This incident highlights the group’s commitment to technological advancement.
Patchwork, also known as Dropping Elephant, has been actively operating since 2014, targeting government, defense, and diplomatic organizations, as well as universities and research institutions in East and South Asia.
Nature of the attack
The attack commenced with the distribution of a malicious file in the .LNK format named Large_innovation_Project_for_BHUTAN.PDF.LNK. This file appeared to be a PDF document but actually contained several malicious components. Specifically, the following files were downloaded:
- Document for diverting user attention.
- The malicious library edputil.dll, disguised as a legitimate file.
- Winver.exe used for further propagation of malicious software.
Tools and methods
Brute Ratel C4
Brute Ratel C4 is a new tool utilized by attackers for controlling file systems, scanning ports, loading/unloading files, and capturing screens. This tool was loaded into memory during the attack, making detection challenging due to complex anti-virtualization and anti-layering techniques.
pgoshell
Pgoshell, developed in the GO language, has been significantly enhanced to support remote control, screen capture, and uploading functions. The tool collects system information such as IP address, OS version, username, and processor architecture, encrypting and encoding it using the RC4 algorithm and BASE64 before transmitting it to the attackers’ server.
This attack showcases the evolving capabilities of the Patchwork group, which continually updates its tools and methods. The usage of Brute Ratel C4 and the enhanced Pgoshell indicates the group’s high level of readiness and sophistication.
As Patchwork continues to enhance its technologies and methods, their attacks become increasingly complex and hard to detect. Target organizations must strengthen their cybersecurity measures and monitor suspicious activities within their networks to mitigate such threats effectively.