Rewterz Threat Alert – PatchWork APT Group Targeting Pakistan – Active IOCs

Severity

High

Analysis Summary

PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, and The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against Asian countries especially against China and Pakistan. Threat actors are now targeting Federal Board of Revenue (FBR) in Pakistan in a series of spear phishing mails that looks like a document for Special relief package and dropping a backdoor when enabling the macros with a 17 year old MS Office Flaw (CVE-2017-11882) a memory corruption issue which can lead to remote code execution without user interaction if exploited correctly on a vulnerable machine. This vulnerability is generally used to deploy spyware to steal information from the victim’s machine for later gains and use against the victims.

Impact

• Information theft and espionage
• Remote code execution
• Exposure of sensitive data

Indicators of Compromise

Filename

• Special_Tax_Relief_Package[.]rtf_
• OneDrive[.]exe

MD5

• 847446bc1b6221de28dc78cef9d34623
• ae3efd0de76e7b82752f520a5778a9b1

SHA-256

• 50cb0313a049f5df3f0fe95dc588bf7dca6ef76a7d713fc4b07348e21134749e
• d6d71a98f72303737cdaa5b2bf670b96d08e2d47ac2670137202c3cb62ffcff1

SHA-1

• d7eb7f50d0cf1d91acb4ebf6e0d996d9547493f4
• f3e46d4f398e3554353198fd74036924f0ac7f6b

URL

• http[:]//gert[.]kozow[.]com/

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Do not download files attached in untrusted emails.
• Do not enable macros for untrusted files.
• Never click on link/attachments sent by unknown senders.