Patchwork APT Targets Chinese Scientific Research in Renewed Campaign

A new wave of cyberattacks targeting Chinese scientific organizations has been identified by cybersecurity researchers at Hunting Shadow Lab. The campaign, attributed to the Patchwork APT group (also known as Hangover and Dropping Elephant), leverages sophisticated malware and evasive techniques to compromise workstations and exfiltrate sensitive data.

Patchwork, believed to be operating with support from Indian authorities, has a long history of cyber espionage activity dating back to 2009. While their previous campaigns have focused on government agencies and scientific institutions across Asia, this latest operation demonstrates a refined methodology and a continued interest in acquiring intellectual property related to scientific research.

The attack chain commences with a spear-phishing email containing a malicious LNK file disguised as a document relevant to ongoing Chinese research projects. Upon execution, the LNK file initiates a multi-stage malware delivery process. To avoid raising suspicion, a benign PDF document is displayed while malicious EXE and DLL files are discreetly downloaded and executed in the background.

A bait document | Source: Hunting Shadow Lab

The primary payload delivered in this campaign is the BadNews malware, a sophisticated backdoor designed for stealth and persistence. To evade detection, the malware employs multiple layers of obfuscation, including encryption and the use of previously observed digital certificates. Once active, BadNews establishes a secure communication channel with a command-and-control (C2) server, enabling the attackers to exfiltrate sensitive data and issue further commands.

Adding to the complexity of this campaign is the use of counterfeit domains mimicking legitimate websites. Researchers identified fraudulent versions of websites belonging to Pakistan International Airlines, Zong (a Pakistani telecommunications provider), Global News, and Scandinavian Airlines. These domains were used to host additional malware and facilitate data exfiltration, leveraging the trust associated with these established entities.

It is imperative for organizations to proactively update their security frameworks, integrate current Indicators of Compromise (IoCs), and leverage advanced threat analysis tools. Additionally, utilizing cloud-based services for analyzing suspicious files can significantly enhance defenses against such attacks.

Related Posts:

• Palo Alto Networks: Patchwork hacker group is targeting the Indian Subcontinent
• Volexity: Indian APT hacker organization Patchwork target US think tanks
• Patchwork Group Expands Cyber Espionage with Advanced Tools
• Advanced Cyberattacks: Patchwork APT’s Nexe Backdoor Campaign Exposed
• The Hidden Threat: Android Apps with VajraSpy RAT Exposed