Severity
High
Analysis Summary
PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, and The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against Asian countries such as China and Pakistan. This attack used new and targeted techniques to deliver spear mail. Finally, the commercial Bozok remote control Trojan was loaded through the fileless loading technology to monitor the theft. Bozok RAT is a lightweight but feature-rich remote control Trojan. The client supports multiple regional languages. This Trojan has been used by many APT organizations in targeted attacks against finance and government in history. It is worth noting that in the disclosed historical attack activity of the Indian background APT organization, this attack activity is the first time they have used the Bozok Trojan.
Impact
- Unauthorized Access and espionage
Indicators of Compromise
MD5
- 2c171622a19a378ea51d08748c70eb59
SHA-256
- c1923226d58186c7e0735e058be80022a57e7e819e1e41b4c6e03065252be11f
SHA-1
- 285a0dab9a7ca13a8390682f7f36b99b86405fc2
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not enable macros for untrusted files.