Background
Patchwork, also known as Patchwork, White Elephant, Hangover, Dropping Elephant, and internally tracked as APT-Q-36 by QiAnXin, is an group widely believed to have a South Asian origin. Its earliest known cyber-attacks can be traced back to November 2009, and it has remained active for over a decade. The group primarily conducts cyber espionage activities targeting countries in the Asian region, focusing on government, military, power, industrial, research and education, diplomatic, and economic groups.
Overview
Recently, during routine sample tracking and analysis, the Threat Intelligence Center at QiAnXin identified a batch of malicious samples linked to Patchwork. Surprisingly, the backdoor used by the attackers was not the typical Trojan previously associated with the Patchwork group. Coincidentally, foreign security researchers also discovered a few of these samples [1] and named the backdoor "Spyder" based on information found in the command-and-control (C2) server login interface. They also noted similarities between the samples and the WarHawk backdoor. The latter was revealed in a report published by Zscaler in October of the previous year [2], and it is considered to be an offensive weapon used by another South Asian APT group, Sidewinder.
Based on the digital signatures used in early Spyder samples and their association with Remcos RAT samples, we are inclined to believe that the Patchwork group is behind these attacks. Furthermore, we discovered another lightweight C#-based backdoor used by the attackers through an IP address.
Detailed Analysis
The captured Spyder samples have the following basic information:
| - | - | - | - |
|---|---|---|---|
| MD5 | Creation Time | Digital Signature | File Name |
| eb9068161baa5842b40d5565130526b9 | 2023-04-09 19:36:29 UTC | Yes | LIST OF SIGNAL ADDRESSES, CALL SIGN 10 Apr 2023.exe |
| 87d94635372b874f18acb3af7c340357 | 2023-04-13 09:20:42 UTC | Yes | PN SHIP OVERSEAS DEPLOYMENT PLAN TO FAR EAST CHINA.exe |
| 1fa3f364bcd02433bc0f4d3113714f16 | 2023-04-30 17:34:16 UTC | Yes | Rocket Launch System THE UPDT LIST OF MLRS PROB-.exe |
| 1f599f9ab4ce3da3c2b47b76d9f88850 | 2023-06-07 07:24:01 UTC | No | Read-Me New Naxal VPN Configration Settings.exe |
| 53b3a018d1a4d935ea7dd7431374caf1 | 2023-06-13 09:22:05 UTC | No | Read-Me New Naxal VPN Configration Settings.exe |
| 1f4b225813616fbb087ae211e9805baf | 2023-06-13 09:2 22:05 UTC | Yes | BAF Operations Report CamScannerDocument.exe |
The above samples are disguised as Word, Excel, PDF, and other document icons. Based on sample size, creation time, and code similarity, they can be classified into two categories: the original version (April samples) and the new version (June samples) with some code modifications. Considering the sample names, the location of VirusTotal uploads, and configuration information within the samples, the targets of the Spyder backdoor include China, Pakistan, Nepal Police Department, and the Bangladesh Air Force.
Spyder New Version
The June attack samples are almost identical, including the C2 information, with only some differences in the configuration data. The following sample will be analyzed as an example:
| - | - |
|---|---|
| MD5 | 1f599f9ab4ce3da3c2b47b76d9f88850 |
| File Size | 380928 bytes (372.00 KB) |
| File Type | PE32 EXE |
To start, the backdoor retrieves data from the "TRUETYPE" category under the "FONTS" file resource. It uses "ROUND9" as the XOR decryption key to decrypt a series of configuration data.
The decrypted data includes the backdoor agent code (the first 4 bytes in the configuration data, with a value of "3"), mutex name, and C2 communication URL.
In addition to obtaining key strings from the configuration data, the backdoor commonly uses XOR encryption to decrypt required strings.
After creating a mutex using CreateMutexA, the backdoor begins collecting information related to the infected device. The collected information, as well as the methods used to obtain them, are as follows:
| - | - |
|---|---|
| Information Type | Method of Retrieval |
| Machine GUID | Querying the data from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid in the registry |
| Hostname | Calling GetComputerNameExW |
| Username | Calling GetUserNameW |
| System Version | Query the data from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion in the registry, under ProductName. |
| System Architecture | Call the GetNativeSystemInfo function. |
| Antivirus Information | Retrieve the data through WMI query in root\SecurityCenter2 |
| Profile | Retrieve from the decrypted configuration data in the resource section |
| Retrieve from the decrypted configuration data in the resource section |
Encode the above information separately using the Y64 variant of Base64 encoding.
Send a POST request to the URL used for C2 communication ("hxxp://plainboardssixty.com/drive/bottom.php"), and the transmitted information includes the Machine GUID and the email address from the configuration data. If the response is "1," the backdoor enters a sleep state directly.
Copy the current file as the "DllHostcache" file under the directory "C:\Users[user_name]\AppData\Roaming" and create a series of scheduled tasks that run at a specified time on the next day.
Return the collected information before.
| - | - |
|---|---|
| Field Name | Meaning |
| hwid | Machine GUID |
| username | Username |
| compname | Hostname |
| osname | System Version |
| arch | System Architecture |
| av | Antivirus Information |
| agent | Backdoor Agent Code in the configuration data (with a value of "3") |
| profile | Profile Information in the configuration data |
| Email Address in the configuration data |
Then enter a while loop. In each iteration, first download a file from another URL in the configuration data, "hxxp://plainboardssixty.com/drive/chilli.php," and save it in the Startup directory. If the download is successful, run the file.
After that, there are multiple interactions with C2 to download and execute subsequent payloads. The interaction process is as follows.
(1) Retrieve instructions
Send "hwid=%s&deploy=1" to C2 to receive the returned instructions. The backdoor provides three types of instructions: "1," "2," and "3." All three instructions are used to obtain and execute subsequent payloads.
(2) Obtain the compressed package name and extraction password containing the subsequent payload
After selecting a specific instruction, send "hwid=%s&deploy=%d&bakmout=1" to C2. The "hwid" field is still the encoded Machine GUID, and the "deploy" field corresponds to the selected instruction number.
The response message is a JSON string that contains the "name" and "pass" fields, which correspond to the compressed package name and extraction password, respectively.
(3) Download and extract the compressed package
Download the compressed package from the URL "hxxp://plainboardssixty.com/drive/[name].zip" using the password stored in the "pass" field. The downloaded compressed package and the extracted files are saved in the "C:\Users[user_name]\AppData\Local" directory. Then, run the extracted file.
(4) Notify C2 of the completion of the operation
Send "hwid=%s&deploy=0" to C2 to indicate that the downloaded payload has been executed. Delete the downloaded compressed package, sleep for 2 seconds, and proceed to the next iteration of the loop.
The detailed explanations of the backdoor instructions are as follows:
| - | - |
|---|---|
| Instruction | Description |
| "1" | The locally saved name for the downloaded compressed package is "slr.zip." The "1.bin" file in the package is extracted and saved as "slb.dll," and the exported function "CreateInterface" of the DLL is run using rundll32. |
| "2" | The locally saved name for the downloaded compressed package is "slr_2.zip." The "2.bin" file in the package is extracted and saved as "sihost.exe," and the EXE file is run. |
| "3" | The locally saved name for the downloaded compressed package is "slr_3.zip." The "3.bin" file in the package is extracted and saved as "secd.exe," and the EXE file is run. |
| Other | No operation. |
Two additional samples in June are almost identical to the previous sample, with the following differences:
(1).The names of the mutex, profile, and email in the configuration data are different.
(2).The saved name for the downloaded file from "hxxp://plainboardssixty.com/drive/chilli.php" at the beginning of the loop is "gameinput.exe."
(3).The file release names for instructions "2" and "3" are "Microsoft.Web.PageInspector.exe" and "DocumentFormat.OpenXml.exe," respectively, and they are saved in the "Microsoft.Web" subdirectory under "AppData\Local."
Spyder Original Version
The original version from April has minimal differences compared to the updated version in June, as outlined below:
(1). The critical strings used in the configuration are XOR decrypted in the initialization function, rather than being decrypted from the resource area as in the updated version.
(2). There is no interaction with C2 and no operation to select whether to enter a sleep state before creating scheduled tasks and returning collected information.
(3).The loop for communication with C2 does not involve downloading and executing payloads from an additional URL.
(4). Although both versions have a consistent format for returning information, the profile in the original version is just a code, and the mail field does not contain an email name, unlike the updated version where they have clear references.
The configuration data for the April sample is as follows:
| - | - |
|---|---|
| MD5 | eb9068161baa5842b40d5565130526b9 |
| C2 | (Communication) hxxp://gclouddrives.com/spyder/smile.php (Download URL) hxxp://gclouddrives.com/spyder/[name].zip |
| profile | TS-001 |
| N |
| - | - |
|---|---|
| MD5 | 87d94635372b874f18acb3af7c340357 |
| C2 | (Communication) hxxp://alibababackupcloud.com/spyder/smile.php (Download URL) hxxp://alibababackupcloud.com/spyder/[name].zip |
| profile | TS-002 |
| N |
| - | - |
|---|---|
| MD5 | 1fa3f364bcd02433bc0f4d3113714f16 |
| C2 | (Communication) hxxp://cloudplatfromservice.one/cpidr/balloon.php (Download URL) hxxp://cloudplatfromservice.one/cpidr/[name].zip |
| profile | TS-004 |
| N |
It is worth noting that the C2 path in the early samples also contains the string "spyder," and the profiles in the samples follow the "TS-" format. The missing codes in between suggest that the April attack likely had other victims as well.
Comparison With WarHawk
The Spyder backdoor shares some similarities with the WarHawk backdoor disclosed by Zscaler [2], but there are significant differences in the operations corresponding to the backdoor instructions.
1. Similarities
(1) Both backdoors utilize similar functions to send POST requests to C2, and they use the same User Agent.
(2) The collected device information is similar, and both backdoors use the hwid (Machine GUID) as the victim identifier in C2 communication.
(3) The C2 instructions for both backdoors use numeric characters to differentiate different operations, and the issued C2 instructions are in JSON format.
2. Differences
The differences between the two backdoors lie in the distribution and specific functionality of the backdoor instructions. The WarHawk backdoor calls functions to implement each instruction in a sequential manner. Each function first queries the C2 server to determine whether to perform the operation and then executes or skips it based on the server's response. The following code snippet illustrates the relevant code for the WarHawk backdoor.
The WarHawk backdoor supports functionalities such as downloading and executing subsequent payloads, command execution, collecting and returning file information, and file downloading. In contrast, the Spyder backdoor primarily focuses on downloading and executing subsequent payloads.
Source Attribution
Ownership
The early sample of the Spyder backdoor (MD5: eb9068161baa5842b40d5565130526b9) carries a digital signature of "Integrated Plotting Solutions Limited," which has also been used by other samples associated with the Mokha Grass threat actor.
Additionally, another sample of the Spyder backdoor (MD5: 87d94635372b874f18acb3af7c340357) is associated with a Remcos trojan sample based on the digital signature "HILLFOOT DEVELOPMENTS (UK) LTD."
| - | - |
|---|---|
| File Name | smss.exe |
| MD5 | acbae6919c9ce41f45ce0d1a3f3fedd4 |
| Creation Time | 2023-04-17 15:47:39 UTC |
| Digital Signature Time | 2023-04-18 07:24:00 UTC |
| File Size | 1026840 bytes (1002.77 KB) |
This sample initially creates a series of scheduled tasks, similar to the behavior observed in the Spyder backdoor.
Then, decrypt the PE file data of the Remcos trojan and load it into memory for execution.
The Mokha Grass group has also been known to use the Remcos trojan in their previous attack campaigns. Considering these pieces of evidence, we believe that the group behind the Spyder backdoor attack activities is likely the Mokha Grass group.
Other Associated Samples
The C2 for the aforementioned Remcos trojan sample is 192[.]169.7.142:80.
Another sample is associated with communication to the same IP and is a lightweight backdoor written in C#.
| - | - |
|---|---|
| File Name | - |
| MD5 | e3b37459489a863351d855e594df93bf |
| Creation Time | 2075-03-07 02:18:38 UTC |
| VT Upload Time | 2023-05-26 20:26:23 UTC |
| File Size | 17408 bytes (17.00 KB) |
The configuration data is as follows, and the URL format for communication with the C2 server is "hxxps://192.169.7.142:4546/search?q=search[<host_name>".
The Main_Load function calls the Fetch and Reply methods to implement basic backdoor functionality.
The Fetch method retrieves instruction data from the C2 server through a GET request, and then processes the retrieved data, including reversing the order, GZ decompression, and removing the string "XXPADDINGXXPADDINGXXPADDINGXX". It creates a cmd.exe process with code page set to 437 and executes the processed instruction data.
The Reply method processes the result of the cmd.exe process execution and sends it back to the C2 server through a POST request. The processing includes adding the string "XXPADDINGXXPADDINGXXPADDINGXX", GZ compression, and reversing the order.
This lightweight backdoor has extremely simple functionality and is likely used in conjunction with other malware during the attack process.
Furthermore, we have discovered other samples of this C# backdoor that have been uploaded to VT, with slight variations in the implementation code.
| - | - |
|---|---|
| File Name | not_default_config.exe |
| MD5 | 4a25a52244f3360b0fffd0d752833bf1 |
| Creation Time | 2098-11-29 07:58:55 UTC |
| VT Upload Time | 2023-05-09 10:01:52 UTC |
| File Size | 56320 bytes (55.00 KB) |
The C2 server in the configuration data is an internal IP, indicating that this sample may be a test version.
Summary
There are intricate connections among several APT groups in the South Asia region, and the Spyder backdoor, which targeted multiple countries in this attack, is an example. It shares many similarities with the previously disclosed WarHawk backdoor associated with the Rattlesnake group. Based on the digital certificates found in early samples and the associated Remcos trojan samples, it is more likely that the Spyder backdoor originates from the Mokha Grass group. Furthermore, we have identified other backdoors through the infrastructure used by the attackers, indicating their continuous expansion of their arsenal.
Protection Recommendations
QiAnXin Threat Intelligence Center reminds users to be cautious of phishing attacks, avoid opening links from unknown sources shared on social media, refrain from executing email attachments from unknown origins, avoid running unknown files with exaggerated titles, and avoid installing apps from unofficial sources. It is important to regularly back up important files and keep software up to date with the latest patches.
If it is necessary to run an application from an unknown source, it is recommended to first use the QiAnXin Threat Intelligence File Deep Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) for verification. The platform currently supports in-depth analysis of various file formats, including Windows and Android platforms.
Currently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin Threat Intelligence Platform (TIP), TianQing, TianYan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, support precise detection of such attacks.
IOC
MD5
(Spyder)
eb9068161baa5842b40d5565130526b9
87d94635372b874f18acb3af7c340357
1fa3f364bcd02433bc0f4d3113714f16
1f599f9ab4ce3da3c2b47b76d9f88850
53b3a018d1a4d935ea7dd7431374caf1
1f4b225813616fbb087ae211e9805baf
(Remcos)
acbae6919c9ce41f45ce0d1a3f3fedd4
(C# Backdoor)
e3b37459489a863351d855e594df93bf
4a25a52244f3360b0fffd0d752833bf1
C&C
plainboardssixty.com
gclouddrives.com
alibababackupcloud.com
cloudplatfromservice.one
192[.]169.7.142:80
192[.]169.7.142:4546
URL
hxxp://plainboardssixty.com/drive/
hxxp://gclouddrives.com/spyder/
hxxp://alibababackupcloud.com/spyder/
hxxp://cloudplatfromservice.one/cpidr/
hxxps://192.169.7.142:4546/search?q=search[<host_name>
References
[1]. https://twitter.com/Axel_F5/status/1669794530592170001
[2]. https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0