Group Background
Patchwork, also known as White Elephant, Hangover, Dropping Elephant, etc., is tracked internally by QiAnXin under tracking number APT-Q-36.The group is widely believed to have a South Asian regional background, with its earliest attack activity dating back to November 2009, and has been active for more than 10 years. The group mainly conducts cyber espionage activities against countries in the Asian region, targeting organizations in the fields of government, military, power, industry, research and education, diplomacy and economy.
Summary of events
QiAnXIn Threat Intelligence Center previously published an analysis report on the Spyder downloader of the Patchwork group [1,2] , and recently we found a new variant of the Spyder downloader and observed that the attackers used the Spyder to distribute two steganographic components, which are used to take screenshots and collect file information respectively.
Although the core functionality of the Spyder downloader remains unchanged, still releasing subsequent components from remotely downloaded encrypted ZIP packages and executing them, some changes have been made to the code structure and C&C communication format, among others. The following is the attack process of the Spyder downloader and the steganographic components discovered in this case.
Detailed analysis
Relevant sample information is provided below:
| - | - | - | - |
|---|---|---|---|
| MD5 | Compile Time | Filename | Clarification |
| 689c91f532482aeff84c029be61f681a | 2024-06-04 15:12:47 utc | eac_launcher.exe | Spyder Downloader |
| 7a177ef0b1ce6f03fa424becfb9d37ac | 2024-05-21 08:28:54 utc | IntelPieService.exe | Screenshot component |
| 85d0f615923af8196fa7d08ef1c68b64 | 2024-02-13 10:46:07 utc | RstMwService.exe | File decryption component |
Spyder downloader
Sample 689c91f532482aeff84c029be61f681a is disguised with a Word document icon and the program is digitally signed. The name of the signer is "Xi'an Qinxuntao Network Technology Co. Sun Jun 4, 2024 15:21:35 UTC.
Configuration data in the new Spyder downloader is stored directly in the code, unlike previous versions which encrypted it and stored it in the resources area.
Traffic spoofing using curl to generate network traffic to retail.googleapis.com and api.github.com.
Remap the .text segments of multiple system DLLs to unhook the settings for those modules.
The sample sets up multiple scheduled tasks that trigger only once, pointing to "%LocalAppdata%\zlib1.exe" and copying itself to "%LocalAppdata%\zlib1.exe".
The communication data between the sample and the C2 server is placed in a custom field ("boop" in this case) in the first part of the POST request, and the data is a Base64-encoded JSON string, with some of the characters replaced after Base64 encoding.
The JSON string sent by the sample to the C2 server "/soup/pencil.php" contains two fixed parts: "xdid" (the Machine GUID of the infected device) and "about" (the string "0.0.0.1" in the configuration data of the sample, which may be the version number).
Sending a request to "/soup/pencil.php" serves two purposes: (1) whether or not to collect information about the device, and (2) to get information about the zip of the subsequent component.
Collecting equipment information
Sample according to the first request to the C2 server "/soup/pencil.php" response to determine whether the need to collect device information and return, if the response is "1", then the information collection operation, otherwise skip this step. If the response is "1", then the information collection operation is performed, otherwise the step is skipped. The collected information is added as a jupiter field in the JSON string.
The various types of information collected are listed below:
| - | - |
|---|---|
| Field Name | Save Data |
| address | hostname (of a networked computer) |
| page_id | user ID |
| weather | Operating system version |
| profile | String in sample configuration data ("Fighter") |
| news | Information on installed antivirus software |
Download follow-up components
After that the sample enters a looping process of getting subsequent components. Each loop first sends fake traffic to api.github.com and then requests the C2 server "/soup/pencil.php". If the response is "0", or the length of the response data is not greater than 5, it simply hibernates and waits for the next loop.
When the response data meets the requirements, the sample extracts information about the zip package from it for downloading subsequent components. The fields from which information is extracted in the response data are the following three:
| - | - |
|---|---|
| Field Name | Clarification |
| first | Category of downloaded components (number) |
| middle | Name of the downloaded zip (string) |
| last | Password (string) for decrypting zip archives |
The sample splices the contents of the middle field into "/soup/download.php?mname=" and then makes a request to the C2 server to download the ZIP archive containing the subsequent components.
The components in the zip package are extracted to the INTERNET_CACHE directory (i.e., "C:\Users\[user_name]\AppData\Local\Microsoft\Windows\INetCache\"), and then CreateProcessW is called to execute it.
Follow-up components
Two types of follow-up components released through the aforementioned Spyder downloader have been observed, both bearing the same digital signature as the Spyder downloader ("Xi'an Qinxuntao Network Technology Co., Ltd."), with the main functions of screen shot return and file information stealing, respectively.
Component 1: Screenshot
The screenshot component IntelPieService.exe saves the screenshot as image.bmp and returns it to hxxp://onlinecsstutorials[.] com/soup/upsman.php.
The Machine GUID of the device is still used as the uid in the request data sent.
Component 2: Document theft
The file steganography component RstMwService.exe first sets its own file path to the data of DeviceDisplay under the current user RunOnce in the registry.
Release the file from the resource area and save it as MsEngLU.dll (MD5: c568d613ba74fd6cd5da730f6ce38626) in the INTERNET_CACHE directory.
Finally load MsEngLU.dll and call the export function DriveBackup.
MsEngLU.dll is digitally signed "GJT AUTOMOTIVE LTD".
The DLL recursively collects file information starting from the user's Desktop, Documents, Downloads, and OneDrive subdirectories, as well as the root directories of all non-system disks.
The types of files that the steganography software focuses on include documents, zip archives, images, audio, and emails.
The file information is stored in the local database "%APPDATA%\Microsoft\Windows\Libraries\policy.db" in SQLite format.
Finally the data is returned to "hxxp://93.95.230.16/domcomtwit/hen.php".
Traceability links
The discovered Spyder variant still has many features of the previous Spyder sample[1,2] , including: XOR decryption strings, setting multiple scheduled tasks, organizing communication data in JSON string format, obtaining encrypted compressed package information from C2 servers before downloading the compressed packages and decrypting them, and so on.
The Spyder variant is associated with a number of similar samples, and the time of program creation shows that such variants have been in use since at least March.
| - | - | - | - |
|---|---|---|---|
| MD5 | Compile time | C&C | |
| 887d76e305d1b2ac22a83a1418a9fc57 | 2024-03-14 14:47:01 utc | l0p1.shop | |
| 47b4ed92cfc369dd11861862d377ae26 | 2024-04-05 14:09:32 utc | firebaseupdater.com | |
| 0dc0816bd46f3fe696ed0a2f1b67cfa8 | 2024-04-25 17:10:20 utc | firebaseupdater.com | |
| e8a9b75c5e41f6d4af9f32c11d0057cb | 2024-04-25 17:10:20 utc | firebaseupdater.com |
According to MsEngLU.dll released by RstMwService.exe can be associated with another identical file-stealing software (MD5: 339ce8f7b5f253f2397fc117f6503f1f), which returns the file information with the URL "hxxp://89.147.109.143/lightway /hex.php".
Release a sample of this steganography software (MD5: e19e53371090b6bd0e1d3c33523ad665) likewise save it as MsEngLU.dll file in the INTERNET_CACHE directory and call its export function DriveBackup.
Summary
Another update to Spyder indicates that the downloader has become a common tool for the Patchwork group. The two steganographic components are downloaded separately and perform different functions, reflecting the modular structure of the attacker's arsenal. The subsequent components captured so far function as screenshots and file information collection, and are likely just the tip of the iceberg in terms of the types of payloads that are being downloaded, as the attackers are fully capable of selectively taking further action against high-value targets based on the information collected.
Protection recommendations
QiAnXin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. do timely backup of important files and update and install patches.
If you need to run and install applications of unknown origin, you can first use the QiAnXin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to make a judgment. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.
IOC
MD5 689c91f532482aeff84c029be61f681a
887d76e305d1b2ac22a83a1418a9fc57
47b4ed92cfc369dd11861862d377ae26
0dc0816bd46f3fe696ed0a2f1b67cfa8
e8a9b75c5e41f6d4af9f32c11d0057cb
7a177ef0b1ce6f03fa424becfb9d37ac
85d0f615923af8196fa7d08ef1c68b64
e19e53371090b6bd0e1d3c33523ad665
c568d613ba74fd6cd5da730f6ce38626
339ce8f7b5f253f2397fc117f6503f1f
C&C onlinecsstutorials.com
l0p1.shop
firebaseupdater.com
93.95.230.16:80
89.147.109.143:80
URL hxxp://onlinecsstutorials.com/soup/pencil.php
hxxp://onlinecsstutorials.com/soup/download.php?mname=
hxxp://onlinecsstutorials.com/soup/upsman.php
hxxp://l0p1.shop/ares/pencil.php
hxxp://l0p1.shop/ares/download.php?mname=
hxxp://firebaseupdater.com/gandalf/cane.php
hxxp://firebaseupdater.com/gandalf/download.php?mname=
hxxp://93.95.230.16/domcomtwit/hen.php
hxxp://89.147.109.143/lightway/hex.php
Reference links
[1]. https://ti.qianxin.com/blog/articles/Suspected-Patchwork-Utilizing-WarHawk-Backdoor-Variant-Spyder-for-Espionage-on-Multiple- Nations-CN/
[2]. https://ti.qianxin.com/blog/articles/Delivery-of-Remcos-Trojan-by-Mahaccha-Group-APT-Q-36-Leveraging-Spyder-Downloader-CN/