Background of the group
摩诃草, also known as Patchwork, White Elephant, Hangover, Dropping Elephant, etc., and internally tracked as APT-Q-36, is widely believed to have a South Asian background, with its earliest attack activity dating back to November 2009, and has been active for more than 10 years. The group has been active for more than 10 years. It mainly conducts cyber-espionage activities against countries in the Asian region, and its targets include organizations in the fields of government, military, power, industry, scientific research and education, diplomacy, and economy.
Incident Overview
Qi'anxin Threat Intelligence Center recently discovered that the Patchwork LNK attack sample downloaded the decoy document and follow-up load from a remote server imitating the domain name of a domestic university. The follow-up load was a loader written in Rust, which was decrypted with the help of shellcode and loaded a C# Trojan in memory.
The content of the decoy PDF is the technical access route of the electric power and energy industry, and the target of the attack may be researchers in related fields.
Detailed Analysis
The relevant sample information is as follows:
| - | - | - |
|---|---|---|
| MD5 | __ File name__ | __ Description__ |
| 8930abf86e2e94b1a4b373e25d01f2ff | 89565254.pdf.lnk | LNK file disguised as PDF |
| e5cfa25f8f3fab90dc1777ac1b96c890 | Winver.exe | C# Trojan Loader |
| 29e584797a4c1bb71e8c1c018bd431ad | Protego.exe | C# Trojan Horse |
LNK
The malicious LNK executes the command as follows:
The decoy PDF document is first downloaded from jlu-edu.org and then opened, then the subsequent payload is downloaded, renamed to Winver.exe, and a scheduled task named GoogleErrorReport is set for it. The domain name of the remote server used to download the file is modeled after a domestic university, with the intention of disguising the malicious traffic as a legitimate source.
Loader
The loader Winver.exe, disguised in name as a program that comes with the system to get version information, is written in the Rust language and the developer uses the username testPD.
The core function is to decrypt a built-in shellcode and call CreateThread to execute it.
The shellcode further decrypts its own data, which contains a PE file, which is loaded into the shellcode memory and run.
C# Trojan
Memory extracts the PE file and finds that the program is written in C# and the name of the program is Protego.
First a mutex named "kiuwqyergljkwef" is created.
The Accio class in the program performs operations to collect information, including host name, current user name, current directory, Trojan process id and process name, device UUID and OS product name.
The relevant URL for the C2 server is hxxps://arpawebdom.org/bIHTfcVHegEoMrv/WCcod7JY3zwUpDH.php.
The Trojan establishes a connection with the C2 server through the startStage method.
There are two stages in the process of establishing a connection. The first stage calls the fStage method to send the victim id (Cid) and device UUID (uniqid) generated from to the C2 server after encryption, and generates the key for decrypting the Trojan commands according to the server's response, and then enters the second stage, SStage.
The second stage SStage obtains the exit IP of the infected device, and then sends all the collected information encrypted to C2. If the server response content does not contain "NOT FOUND", it means that the connection is established successfully, and the isCompl member is set to true.
After the connection is established, the Trojan obtains commands from the C2 server and executes them.
The list of Trojan commands is as follows.
| - | - |
|---|---|
| Trojan command | Function |
| die | End process |
| ping | Returns the Trojan heartbeat message "pong". |
| pwd | Get current working directory |
| cd | Set current working directory |
| rm or del | Delete a file |
| whoami | Get the current user name |
| dir or ls | List the current working directory without additional parameters, otherwise list the specified directory. |
| ipconfig or ifconfig | Get IP information |
| cat or type | Get the contents of a specified file |
| waittime, wait, responsetime or timer | Set Trojan wait time |
| screenshot or schot | Screenshot |
| upload or uploadfile | Uploads a specified file to a Trojan infected device |
| ps, process or processes | Get process list information |
| enablecmd, enable or cmd | Enters cmd mode, in which the Trojan stops parsing commands sent by the remote server. |
| inmem | Download the load and execute it in memory |
| download or get | Packs the specified files from the Trojan-infected device into a zip archive and sends it back to the remote server. |
| downexe | Download the executable file and execute it |
| lksfjdgjkxv | If the command contains the string "lksfjdgjkxv", enter cmd mode, execute the cmd command after "lksfjdgjkxv", and close the cmd mode at the end of the execution. |
trace the connection
In April, a similar sample of Mahogany LNK was uploaded to VT.
| - | - | - |
|---|---|---|
| MD5 | file name | Description |
| 4cc371651f43e31df87b9f08013a14f6 | 8754444113.pdf.lnk | LNK file disguised as PDF |
The execution command is shown below, which also downloads the decoy PDF document as well as the malicious files Winver.exe and ItDoesAll.cfg, and sets up the scheduled task GoogleErrorReport. the sample was publicly disclosed by security researchers at the time [1].
The subsequent payloads of the above LNK samples are no longer available, and the Qi'anxin Threat Intelligence Center found that the malicious file Winver.exe (MD5: 13c5617da56d8b821e6acd1d5c8f8780) of the same name appeared in the Patchwork group's attacks against domestic users, which read and added to load C:\Users\Public\ The sample reads and loads the C:\Users\Public\file ItDoesAll.cfg, which is the same as the path where LNK files are saved to download subsequent components.
Multiple other loaders were also downloaded on the victim's terminal, all loading the malicious payload from local files. The loader (MD5: 2f1b002352c3a5469f5708de756f3f76) reads and loads the C:\Windows\Tasks\Update.cfg file.
The loader (MD5: 85ba2585c44c95c9ab40fffa2cdd6e36) reads and loads the C:\Windows\Tasks\OfficeAsyn.IDL file.
The same C# Trojan (MD5: d3e719065e938dfbae05039cc305c904) was used in the attack, and the program name and mutex name were identical.
The C2 server related URL is hxxps://aonepiece.org/bIHTfcVHegEoMrv/WCcod7JY3zwUpDH.php.
In addition to the C# Trojan mentioned above, the attackers have also distributed several open source Trojan modules.
The open source Quasar RAT (MD5: 1a2c0de6fa02dc92acde0821eb0e80b4) with C2 of 38.146.28.17:1005.
Open source SantaRat (MD5: a8326b5c6ae046f3b3e3bf05a0c2c4e3), C2 is 162.216.240.8:6606|7707|8808.
Open source Quasar RAT (MD5: a5d09c82fc474371e3b83e5237310eff) with C2 of 38.146.27.237:1005.
Summary
Attacks by the Patchwork group against China often involve universities and research institutions. In the recent attack campaign, Patchwork spoofed university domain names in an attempt to disguise malicious communication traffic as legitimate sources and hide the attacks. In addition, the attackers attempted to change the loading method of the loader from reading additional files to executing the loading process with built-in shellcode, but still using the same C# Trojan with multiple remote control features. According to the attacks we observed, Mahabusa not only utilizes this C# Trojan, but also combines with other open source Trojans to implement intelligence theft.
Protection Suggestions
Qi'anxin Threat Intelligence Center reminds users to be careful of phishing attacks, do not open links from unknown sources shared by social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install APPs from unofficial sources, backup important files in a timely manner, and update and install patches.
If you need to run or install apps from unknown sources, you can first use the Qi'anxin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to identify them. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
Currently, the full line of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support the accurate detection of such attacks.
IOC
MD5
8930abf86e2e94b1a4b373e25d01f2ff
e5cfa25f8f3fab90dc1777ac1b96c890
29e584797a4c1bb71e8c1c018bd431ad
4cc371651f43e31df87b9f08013a14f6
13c5617da56d8b821e6acd1d5c8f8780
2f1b002352c3a5469f5708de756f3f76
85ba2585c44c95c9ab40fffa2cdd6e36
d3e719065e938dfbae05039cc305c904
1a2c0de6fa02dc92acde0821eb0e80b4
a8326b5c6ae046f3b3e3bf05a0c2c4e3
a5d09c82fc474371e3b83e5237310eff
C&C
jlu-edu.org
arpawebdom.org
breatlee.org
aonepiece.org
38.146.28.17:1005
38.146.27.237:1005
162.216.240.8:6606|7707|8808
URL
hxxps://arpawebdom.org/bIHTfcVHegEoMrv/WCcod7JY3zwUpDH.php
hxxps://aonepiece.org/bIHTfcVHegEoMrv/WCcod7JY3zwUpDH.php
Reference Links
[1]. https://x.com/ginkgo_g/status/1915332815308403152