Rewterz Threat Advisory – PatchWork APT Group Targeting (NCOC) – Active IOCs

Severity

High

Analysis Summary

PatchWork, (also known as Mahabusa, White Elephant, hangOver, VICEROY TIGER, and The Dropping Elephant) is an APT that mainly conducts cyber-espionage activities against Asian countries especially against China and Pakistan. The threat actors are now targeting National Command and Operation Center (NCOC) with a maldoc named “DEPT_NCOC.xlsm” which seemingly is distributed to update the employee COVID Vaccination database. 

Impact

• Information Theft and Espionage

Indicators of Compromise

Filename

• Briefing on Ongoing Projects[.]docx
• payload_1[.]bin

MD5

• 466fb005506e1dc15118a6768b2c7e5a
• 021067f645525cb5caecf04670a63485

SHA-256

• eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7
• c2809dcc935ed3c7923f1da67d1c5dddc4ece2353a4c0eab8c511a14fa7e04c1

SHA-1

• 34fdaf8593013d0f4569439f7891017703f0c294
• d5bb4d8ef1ec8fdd78f58029c28c580f9a3fcbf8

URL

• https[:]//dgmp-paknavy[.]mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file[.]rtf

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.