Adrian Johnson
TLDR:
- Patchwork hackers have upgraded their arsenal with advanced PGoShell
- They recently targeted Bhutan with a new attack using a sophisticated red team framework
In a recent discovery by the Advanced Threat Intelligence Team, Knownsec 404, Patchwork hackers have employed advanced techniques in a potential Bhutan-targeted attack. This attack utilized an illusionary PDF link file to download decoy files and payloads, showcasing the group’s evolution and upgrade in their arsenal with the advanced PGoShell.
Since 2014, Patchwork has been targeting government, defense, diplomatic, and research organizations in East and South Asia. The recent attack involved using deceptive LNK files to download decoy PDFs targeting Bhutan-related organizations. The group employed Brute Ratel C4, a red team framework, with features like file management, port scanning, and screen capture, signifying the sophistication of their tactics.
The PGoShell malware, developed by the patchwork APT, now incorporates features like remote shell, screen capture, and payload execution, using RC4 encryption and base64 encoding for data obfuscation. The group also gathers extensive information about the host, such as IP geolocation and persistence methods.
By incorporating Brute Ratel C4 and upgrading PGoShell, Patchwork demonstrates a fast-changing modus operandi in cyber operations, highlighting potential future threats. The IoCs for this attack include C2 domains like Beijingtv[.]org and Cartmizer[.]info.
