Severity
High
Analysis Summary
PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, and The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against Asian countries especially against China and Pakistan. Threat actors are now targeting Federal Board of Revenue (FBR) in Pakistan in a series of spear phishing mails that looks like a document for Special relief package and dropping a backdoor when enabling the macros with a 17 year old MS Office Flaw (CVE-2017-11882) a memory corruption issue which can lead to remote code execution without user interaction if exploited correctly on a vulnerable machine. This vulnerability is generally used to deploy spyware to steal information from the victim’s machine for later gains and use against the victims.
Impact
- Information theft and espionage
- Remote code execution
- Exposure of sensitive data
Indicators of Compromise
Filename
- Special_Tax_Relief_Package[.]rtf_
- OneDrive[.]exe
MD5
- 847446bc1b6221de28dc78cef9d34623
- ae3efd0de76e7b82752f520a5778a9b1
SHA-256
- 50cb0313a049f5df3f0fe95dc588bf7dca6ef76a7d713fc4b07348e21134749e
- d6d71a98f72303737cdaa5b2bf670b96d08e2d47ac2670137202c3cb62ffcff1
SHA-1
- d7eb7f50d0cf1d91acb4ebf6e0d996d9547493f4
- f3e46d4f398e3554353198fd74036924f0ac7f6b
URL
- http[:]//gert[.]kozow[.]com/
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Do not download files attached in untrusted emails.
- Do not enable macros for untrusted files.
- Never click on link/attachments sent by unknown senders.