Patchwork, the superior persistent menace (APT) actor also called Dropping Elephant, Monsoon, and Hangover Group, has been noticed deploying a brand new PowerShell-based loader that abuses Home windows Scheduled Duties to execute its closing payload.
Lively since a minimum of 2015 and centered on political and army intelligence throughout South and Southeast Asia, Patchwork is famend for its persistence, social engineering prowess, and its behavior of repurposing and customizing current instruments relatively than constructing new exploits from scratch.
Within the newest marketing campaign, targets obtain a Microsoft Workplace doc containing a malicious macro. When enabled, the macro downloads an LNK shortcut file that, as soon as opened, executes a PowerShell script. This script:
- Downloads an executable masquerading as vlc.exe into
C:WindowsTaskslama, mimicking the reliable VLC media participant. - Retrieves a DLL named libvlc.dll—possible a faux library—to side-load alongside vlc.exe.
- Fetches a decoy PDF from a malicious URL and locations it within the Public Paperwork folder.
- Creates a scheduled activity known as WindowsErrorReport that triggers vlc.exe on a daily interval.
- Lastly, it downloads and saves the APT’s closing payload, a .NET-based executable compiled with MSIL.
Multi-Stage C2 Communication
As soon as the scheduled activity launches vlc.exe, the loader’s fStage technique initiates a safe channel with the attacker’s C2 server at Program.muri. It gathers system info, then:
- XORs the sufferer’s shopper ID with a hardcoded key (
eOvstoxSBbZGWsTtknc) and Base64-encodes the outcome. - Applies extra obfuscation by way of a customized Protean operate.
- Sends the info over HTTPS utilizing TLS 1.2 as a POST kind (
sosidandslidparameters).
The server’s response is Base64-decoded and XOR-decrypted with a session key to provide acc.xkey, saved for future encryption. If the fStage fails, it retries each 5 seconds, as much as twenty makes an attempt.
Subsequent, the SStage technique inventories the host:
- Public IP by way of
ipd() - OS model.
- MAC tackle and username.
- Working listing path.
- Course of ID and administrative privilege standing.
- Distinctive session ID.
Every datum is XOR-obfuscated, Base64-encoded, and scrambled with Protean earlier than transmission. Concurrently, the bkj technique launches:
- dsffds() collects put in purposes by way of WMI (
Win32_Product). - ghjk() enumerates antivirus merchandise from the
SecurityCenter2namespace.
All collected information is equally obfuscated and POSTed to the C2. On success, persistence is confirmed and error counters reset.
Command Retrieval and Exfiltration
The _getCommand operate retrieves attacker directions by masquerading visitors as reliable net kind POSTs (sltrg=pap).
After execution, the mixed output and errors are appended to the response string, which is then despatched again to the attacker’s command-and-control server utilizing the _sendResult technique.
Responses endure regex cleanup, multi-layer Attraction() deobfuscation, twin Base64 decoding, and XOR decryption with the session key to yield plaintext instructions. Failures set off as much as twenty retry loops to take care of stealth.
To exfiltrate command outputs, the malware makes use of Scourgify encoding, attaches a singular sufferer ID, and dispatches outcomes by way of POST. Retries of as much as twenty cycles guarantee dependable supply with out elevating alerts.
Subsequent strategies facilitate:
- dfile: Downloads and decodes auxiliary information into a short lived listing.
- ufile: Chunks massive information into 1 MB segments, Base64-encodes, and streams them to the C2 in a stealthy, resumable style.
- v_alloc: Allocates executable reminiscence, copies payload bytes, and spawns a brand new thread to run in-memory code with out disk artifacts.
- scrt: Captures full-screen screenshots, uploads them to the server, and cleans up native copies after success.
Mitigations
Patchwork’s modular, multi-layered strategy addressed the significance of sturdy endpoint defenses.
Enabling macros solely from trusted sources, monitoring for uncommon scheduled duties (similar to “WindowsErrorReport”), and imposing utility whitelisting can disrupt the loader’s execution chain.
Moreover, deploying a safety resolution like K7 Complete Safety with up-to-date signatures and behavior-based detection can establish and quarantine these PowerShell-based methods earlier than substantial information exfiltration happens.
Staying vigilant and updating each working methods and safety software program stay vital to thwarting Patchwork’s evolving arsenal.
Comply with us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
