Rewterz Threat Alert – PatchWork APT Group Targeting Pakistan – Active IOCs

Severity

High

Analysis Summary

Indian threat actor Patchwork has been active since December 2015 and frequently uses spear phishing to strike Pakistan. PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against its targets. The group aims to steal sensitive information. In early July 2020, the Microstep Intelligence Bureau monitored a targeted attack with the help of the “New Coronary Pneumonia” hot event. 
In its most recent campaign, which ran from late November to early December 2021, Patchwork dropped a variation of the BADNEWS (Ragnatela) Remote Administration Trojan using malicious RTF files (RAT).
Virtual computers and VPNs are used by this APT group to create, distribute, and monitor their targets. Patchwork is less advanced than its Russian and North Korean rivals, along with certain other East Asian APTs. This APT has targeted the Government of Pakistan, the Ministry of defense in its most recent phishing campaign. The filename includes Ltr MoDP_office order.docx.

Image Source

Impact

• Information Theft
• Unauthorized Remote Access

Indicators of Compromise

MD5

• ccf66fd0fc09ba0ea0d43d3e2f62f5fd

SHA-256

• d732bc4f7bd2951cedef03a3a3235cce4f33602c858e0c5caceeb98f5bf1a4bf

SHA-1

• 67f6fe50e23f69f7af59acbd0a4ee8ed0c97f606

URL

http[:]//office-fonts[.]herokuapp[.]com/en-us/Scan03[.]pdf

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.