November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
August 19, 2022Rewterz Threat Alert – IcedID banking Trojan – Active IOCs
August 19, 2022Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
August 19, 2022Rewterz Threat Alert – IcedID banking Trojan – Active IOCs
August 19, 2022
Severity
High
Analysis Summary
Indian threat actor Patchwork has been active since December 2015 and frequently uses spear phishing to strike Pakistan. PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against its targets. The group aims to steal sensitive information. In early July 2020, the Microstep Intelligence Bureau monitored a targeted attack with the help of the “New Coronary Pneumonia” hot event.
In its most recent campaign, which ran from late November to early December 2021, Patchwork dropped a variation of the BADNEWS (Ragnatela) Remote Administration Trojan using malicious RTF files (RAT).
Virtual computers and VPNs are used by this APT group to create, distribute, and monitor their targets. Patchwork is less advanced than its Russian and North Korean rivals, along with certain other East Asian APTs. This APT has targeted the Government of Pakistan, the Ministry of defense in its most recent phishing campaign. The filename includes Ltr MoDP_office order.docx.
Image Source
Impact
- Information Theft
- Unauthorized Remote Access
Indicators of Compromise
MD5
- ccf66fd0fc09ba0ea0d43d3e2f62f5fd
SHA-256
- d732bc4f7bd2951cedef03a3a3235cce4f33602c858e0c5caceeb98f5bf1a4bf
SHA-1
- 67f6fe50e23f69f7af59acbd0a4ee8ed0c97f606
URL
http[:]//office-fonts[.]herokuapp[.]com/en-us/Scan03[.]pdf
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.