Rewterz Threat Alert – Patchwork APT activity around South Asia

Severity

High

Analysis Summary

The “Moxa” APT group (APT-C-09), also known as HangOver, VICEROY TIGER, The Dropping Elephant, Patchwork, is an overseas APT organization from South Asia. The group has been active for more than 8 years. A recent targeted attack samples of the organization against neighboring countries and regions. Among the samples captured, the Mahaboo organization used a variety of methods: for example, the CVE-2017-0261 vulnerability exploitation document disguised as a network security protocol in a country in South Asia, and the macro utilization sample disguised as an outbreak prevention guide, Executable files disguised as java running environment posted on a securities trading website in Pakistan. Mohsao Group used such malicious samples combined with current affairs hot spots to launch multiple attacks on neighboring countries and regions.

The sample is an EPS exploit file. Once the victim clicks the enable sample, the EPS script filter fltldr.exe will render the malicious EPS script to execute the malicious code.

Impact

• Credential theft
• Exposure of sensitive data 

Indicators of Compromise

Filename

• National_Network_Security[.]docx
• Covid19_Guidelines[.]doc

MD5

• 23eafb7dc1130641cf816d11dc7bce10
• 16c01b13998e96f27bd9e3aa795da875
• f85a94ef1e9c0dca48dbecb5c8399e07
• 809ff867d2cfe803ef4ae4102283b45c
• 4c79583d189207ec9f138204fbb63810

SHA-256

• 2ba13a3e540229677456d1e320f682bed8e6733bf6547b89a496b8d020eea698
• dfe18346db405af2484064e80b5c0124bc80ca84d39b90e1aa5d5592c479a904
• 21ee9bb5f2444fdf72d55109b7f823d5a5cd43d60aa1fb653764e2e5d20f2080

SHA1

• 0aa66138590ab69ac68711a6a50a56da537a3646
• 734807ef7b402219ab1badb5d5c1804639a465f9
• 3956b3ab9d278a9662085fd5b55095849979ce11

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.