Rewterz Threat Alert – PatchWork APT Group Targeting Pakistan – Active IOCs

Severity

High

Analysis Summary

Indian threat actor Patchwork has been active since December 2015 and frequently uses spear phishing to strike Pakistan. PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against its targets. The group aims to steal sensitive information. In early July 2020, the Microstep Intelligence Bureau monitored a targeted attack with the help of the “New Coronary Pneumonia” hot event. 
In its most recent campaign, which ran from late November to early December 2021, Patchwork dropped a variation of the BADNEWS (Ragnatela) Remote Administration Trojan using malicious RTF files (RAT).

This APT group uses virtual computers and VPNs to create, distribute, and monitor their targets. Patchwork is less advanced than its Russian and North Korean rivals, along with certain other East Asian APTs. This APT has targeted the Government of Pakistan, and the Ministry of defense in its most recent phishing campaign with a maldoc named “AML-CFT.doc” with Drops and side-loading file McVsoCfg.dll

The recent campaign involves the word file “help Pakistan’ named List of IBANs & Details.docx

Impact

• Information Theft
• Unauthorized Remote Access

Indicators of Compromise

MD5

• 9d3993fedf4ce4d25a8e7bf2a3a7d903

SHA-256

• 449b4cee4b9df09777891a70248e000e3bb13f33d579603f69e444d4d175d022

SHA-1

• ec8b9d3057df87564ebe15c75523c995dfa3e453

URL

http[:]//en-us-office[.]herokuapp[.]com/updates/

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.