返回 TI 主页

Background on gangs

Patchwork, also known as White Elephant, Hangover, Dropping Elephant, etc., is tracked internally by Qi'anxin under tracking number APT-Q-36.The group is widely believed to have a South Asian regional background, with its earliest attack activity dating back to November 2009, and has been active for more than 10 years. The group mainly conducts cyber espionage activities against countries in the Asian region, targeting groups in the fields of government, military, power, industry, research and education, diplomacy and economy.

The Donot is tracked internally by Qi'anxin under the number APT-Q-38, which mainly targets countries in South Asia, such as Pakistan, Bangladesh, and Sri Lanka, to carry out cyber-espionage activities against government agencies, the defense and military, the diplomatic sector, and important people in the business field, and steal sensitive information. The Donot group has Windows and Android dual-platform attack capabilities, and often spreads malicious code through harpoon emails and Android APKs carrying Office vulnerabilities or malicious macro documents in past attack campaigns.


Summary of Events

The Qi'anxin Threat Intelligence Center disclosed the attacks of the Donot group in late February [1], and since then we have continued to track the attacks and found that the Donot group had used the domain "couldmailauth.com" to host the malware. Recently we have captured another batch of samples using "couldmailauth.com" as a C&C server, such samples are Spyder downloaders for the Patchwork group and one of them carries the same digital signature as the Donot sample. The above information indicates a potential link between these two South Asian APT groups.


Detailed Analysis

Donot-related samples

Below is information about the samples related to the Donot tissue:

- - -
MD5 Filename Clarification
e39413d9a67acbc5df2d8b8c0a170f4b ltr-2024055.ppt With VBA macros, download DLL
8157be7acc05f719dc125d677133ca40 Reghjok_64.dll Downloaded DLLs

The download link for the malicious PPT is "hxxps://viperdenx.info/2025/filezz/uploadz/ltr-2024055.ppt". The main function of the VBA macro in the PPT is to download the subsequent DLL from "hxxp://couldmailauth.com/zhq93e8hsj93793892378hhxhb/Reghjok_64.dll". The main function of the VBA macro in the PPT is to download the subsequent DLL from "hxxp://couldmailauth.com/zhq93e8hsj93793892378hhxhb/Reghjok_64.dll", save it as "%LocalAppdata%\\\SysIconTray.dll", and then call rundll32.dll to run the export function bostRebert.

The C&C server that the DLL connects to is totalservices.info, which has the same functionality as the sample PLAIN.dll disclosed in the previous report [1].


Patchwork Spyder Downloader

Recently discovered Spyder downloader samples are listed below:

- - - - -
Serial number MD5 Compile time File size C&C
1 c13dfd03cbdd66c0d6d53eb55ba9d551 2025-02-04 19:22:09 utc 3.80 MB (3988992 bytes)
2 2f1c58c7214471c28283b9e161ceed1c 2025-02-15 00:23:23 utc 80.99 MB (84926048 bytes)
3 f8e30dad9130bbc04164dda4f31a1b23 2025-02-15 00:23:23 utc 17.38 MB (18219008 bytes)
4 4dfbc90129c9700bab397a59e0640648 2025-02-15 00:23:23 utc 6.81 MB (7143424 bytes)
5 6cf72a23f23f2f35106ed9db63df3474 2025-03-24 11:50:12 utc 3.50 MB (3672064 bytes)

The core data of samples numbered 2 to 4 are identical, but all of them have different numbers of zero bytes appended at the end of the original executable file (i.e., at the end of the .reloc segment) to inflate the file's disk size, and the sample numbered 2 has a digital signature added to it.

Sample number 2 (MD5: 2f1c58c7214471c28283b9e161ceed1c) is used as an example for analysis. The sample is camouflaged with a PPT icon, digitally signed by "Ebo Sky Tech Inc" and signed at‎ on February 16, 2025 07:52:57 UTC.

Some of the configuration data strings (e.g., C&C servers and URLs ) are recovered by XOR decryption.

After creating the mutex, remap the .text segments of multiple system DLLs, set up multiple scheduled tasks that are triggered only once (at a fixed moment on the next day) to point to "%LocalAppdata%\\TREATE.exe" and copy themselves as "%LocalAppdata%\\TREATE.exe".

The communication data between the sample and the C2 server is placed in a custom field ("xfz") in the first part of the POST request, and the data is a Base64-encoded JSON string, with some of the characters replaced after Base64 encoding.

The JSON string sent by the sample to the C2 server "/gxL5EumWANH46T3tjskyFB/pencil.php" contains two fixed parts: "jhon" (the Machine GUID of the infected device) and "sweep" (the string "0.0.0.1" in the configuration data of the sample, which may be the version number).

Sending a request to "/gxL5EumWANH46T3tjskyFB/pencil.php" serves two purposes: (1) whether or not to collect information about the device, and (2) to obtain information about subsequent component packages.


Collecting equipment information

According to the response of the first request to the C2 server "/gxL5EumWANH46T3tjskyFB/pencil.php", the sample determines whether it is necessary to collect the information of the device and send it back, and if the response is "1", then it will perform the operation of collecting the information, or else it will skip this step.

To gather information first, use curl to send fake traffic to api.github.com.

The collected information is added as a cargo field in a JSON string.

The various types of information collected are listed below:

- -
Field name Save data
spaceship hostname (of a networked computer)
lockmode user ID
tune Operating system version
trunk String in the sample configuration data ("ZXF")
spool Information on installed antivirus software

Download follow-up components

After that the sample enters a looping process of getting subsequent components. Each loop first sends pseudo-traffic to api.github.com and then requests the C2 server "/gxL5EumWANH46T3tjskyFB/pencil.php". If the response is "0", or the response data length is not greater than 5, then it just hibernates and waits for the next loop.

When the response data meets the requirements, the sample extracts information about the zip package from it for downloading subsequent components. The fields from which information is extracted in the response data are the following three:

- -
Field name Clarification
anon Not used in the code
hand Name of the downloaded zip (string)
shake Password (string) for decrypting zip archives

The sample splices the contents of the hand field after "/gxL5EumWANH46T3tjskyFB/download.php?mname= " and makes a request to the C2 server to download the ZIP archive containing the subsequent components.

The downloaded ZIP archive is temporarily stored in the %LocalAppdata% directory, release the exe into the COMMON_DOCUMENTS directory (i.e., "C:\\Users\\Public\\Documents"), and then call CreateProcessW to execute it.


Traceability

The Spyder samples found in this discovery have not changed much in terms of code and functionality from the Spyder downloader[2] previously used by Patchwork:

(1) Have the same configuration data structure;

(2) Initiating access to the same api.github.com link, thus spoofing network communication traffic;

(3) Both remap the .text segments of multiple system DLLs, set multiple scheduled tasks that are triggered only once, and communicate with the C&C server in almost the same way.

The biggest change to the Spyder downloader compared to last year's sample is reflected in the fact that the key strings are encrypted with a XOR encryption and are no longer stored in plaintext in the code.

The digital signature used in the Patchwork Spyder sample (MD5: 2f1c58c7214471c28283b9e161ceed1c) also appears in the Donot's attack sample (MD5: 893561ff6d17f1e95897b894dde29a2a), although the signature is much older, at‎ 2025 January 28, 2025 10:19:27 UTC.

The Donot's PPT macro sample (MD5: e39413d9a67acbc5df2d8b8c0a170f4b) for downloading the subsequent DLL from couldmailauth.com was created on 2025-02-13 15:42:47 UTC, which is also similar to the compile time of the Spyder sample utilizing this domain (2025-02 -15 00:23:23 UTC). The above information suggests that there is some level of sharing between the Patchwork and Donot at the resource level, or that the two are collaborating on the same attack campaign.


Summary

Multiple APT groups in South Asia have some connections with each other, and the attack samples found attributed to the Donot and Patchwork groups used the same digital signatures and network infrastructure, which may be due to the existence of the same resource providers behind the two groups, or the fact that the two groups are operating in unison under the coordination of a higher-level group.


Protection recommendations

Qi'anxin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from unofficial sources. do timely backup of important files and update and install patches.

If you need to run and install applications of unknown origin, you can first use the Qi'anxin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to make a judgment. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.

Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.


IOC

MD5

(Donot)

e39413d9a67acbc5df2d8b8c0a170f4b

8157be7acc05f719dc125d677133ca40

(Patchwork)

c13dfd03cbdd66c0d6d53eb55ba9d551

2f1c58c7214471c28283b9e161ceed1c

f8e30dad9130bbc04164dda4f31a1b23

4dfbc90129c9700bab397a59e0640648

6cf72a23f23f2f35106ed9db63df3474

C&C

couldmailauth.com (Donot, Patchwork)

viperdenx.info (Donot)

apps-house.com (Patchwork)

URL

(Donot)

hxxps://viperdenx.info/2025/filezz/uploadz/ltr-2024055.ppt

hxxp://couldmailauth.com/zhq93e8hsj93793892378hhxhb/Reghjok_64.dll

(Patchwork)

hxxp://couldmailauth.com/gxL5EumWANH46T3tjskyFB/pencil.php

hxxp://couldmailauth.com/gxL5EumWANH46T3tjskyFB/download.php?mname=

hxxp://apps-house.com/gandalf/cane.php

hxxp://apps-house.com/gandalf/download.php?mname=


Reference links

[1]. https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activity-of-the-apt-q-38-using-pdf-document-decoys-cn/

[2]. https://ti.qianxin.com/blog/articles/analysis-of-new-variants-and-components-of-patchwork-spyder-downloader-cn/

APT SOUTH ASIA PATCHWORK DONOT