• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2022-30190: Follina Vulnerability (MSDT) – Active IOCs
September 2, 2022
Rewterz Threat Advisory – CVE-2022-37435 – Apache ShenYu Vulnerability
September 2, 2022

Rewterz Threat Alert – PatchWork APT Group Targeting Pakistan – Active IOCs

September 2, 2022

Severity

High

Analysis Summary

Indian threat actor Patchwork has been active since December 2015 and frequently uses spear phishing to strike Pakistan. PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against its targets. The group aims to steal sensitive information. In early July 2020, the Microstep Intelligence Bureau monitored a targeted attack with the help of the “New Coronary Pneumonia” hot event. 
In its most recent campaign, which ran from late November to early December 2021, Patchwork dropped a variation of the BADNEWS (Ragnatela) Remote Administration Trojan using malicious RTF files (RAT).

This APT group uses virtual computers and VPNs to create, distribute, and monitor their targets. Patchwork is less advanced than its Russian and North Korean rivals, along with certain other East Asian APTs. This APT has targeted the Government of Pakistan, and the Ministry of defense in its most recent phishing campaign with a maldoc named “AML-CFT.doc” with Drops and side-loading file McVsoCfg.dll

Impact

  • Information Theft
  • Unauthorized Remote Access

Indicators of Compromise

IP

192[.]227[.]174[.]165

MD5

  • 43e2a8601a4f70897d73353c4908f224
  • 53dd49f39b0f8d41756edc2787473b67

SHA-256

  • c795a13148b13b6c293c11099fbe06aed8b478e1713d5c3c849fa7acabc215cc
  • 9268c46f5ed8b2f00cf3ef4d14e5bc327907b776a97b466a52bc9fbfea002e5b

SHA-1

  • f13aeba7926d6c29485509f7dac24a7fd623c2d4
  • 2819e448e9a95bba18a4285f7cd408b49bd56c26

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.