Rewterz Threat Alert – Patchwork: An Indian Advanced Persistent Threat (APT) Group Focusing on Pakistan – Active IOCs

Severity

High

Analysis Summary

PatchWork (also known as Mahabusa and White Elephant) is an Indian APT group present in the cyberspace since 2015. The APT group came to light in 2017 when various cybersecurity researchers identified its modus operandi and nefarious operations. Recently, this APT group has been actively targeting Chinese and Pakistani state institutions for data exfiltration. 

PatchWork primarily targets the Asian region. It mainly uses spear-phishing emails, whaling, social engineering and masquerading techniques such as crafted malicious emails, fake rating websites appearing to be legitimate to gain users’ trust, and SM links to download malicious mobile apps to execute cyberattacks on regional countries including Pakistan and China. 

Some of the malwares it has used frequently are: Android RAT, Bad News RAT, and a file-stealer malware called Delphi. An APT group may frequently change its techniques, tactics and procedures. However, phishing emails continue being the initial entry point for malicious activities. Therefore, preventive measures are recommended.

Overall, Patchwork is a sophisticated and persistent threat actor that poses a significant risk to targeted organizations. It is essential for organizations to have robust security measures in place to protect against these types of attacks, including regular software updates and employee awareness training.

Impact

• Information Theft
• Unauthorized Remote Access

Indicators of Compromise

Domain Name

• Filepiece.com
• Techwatch.com
• Bingoplant.live

MD5

• 2c3b9984be2d8609f83d10171a4f1059
• f9ad3d4c90528e654de20159859ca15b
• 5a2265017b8083d540f274f16038c6df
• 893060bff7da03f5555ecc9931d0c700

SHA-256

• 960c7288af9d62ceeef3a81e6834c065f02dba164c5100936b06a89694c3dd0c
• 6b62f4db64edf7edd648c38a563f44b656b0f6ad9a0e4e97f93cf9abfdfc63e5
• 6ea87a23225a059716d8c31a142492013f598a162cb30f1c39ce7af80abcecaf
• a7acb7fa69f218475e06fb27dceac3f199b9cb7cbea07d01c0cfb220b465cbc4

SHA-1

• 423559fbddc94bc18f2caf5f0fe97ac6d604f1d0
• e2f3bb6fdfc6d6757722d95bd79dd5e876ebb982
• be14f19e4cc5b12fcc3a4a43d8ebafe74c9628e4
• 57084a2d38c9404f8df701d039cfb9dacafc455b

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Never share personal details and credentials with unauthorized/suspicious users, websites, applications etc.
• Do not follow web links in emails to avoid social engineering and phishing attacks. Train users to recognize and report phishing attempts.
• Use multi-factor authentication (MFA)/two-factor authentications where possible.
• Use reputed and licensed business email gateways, anti-phishing and anti-spam solutions.
• Always scan every document before opening/downloading via built-in anti-virus on mailing servers.
• End-point protection systems to be kept updated and Windows Defender should always be active to ensure that malware execution is hindered.
• Use separate and complex passwords for each system, mobile, SM accounts, financial and mailing accounts etc.
• Disable execution of PowerShell/command line for normal users through access control and active directory.
• Auto execution of VBScripts should be disabled and .docx/.docm files should never be clicked/opened.
• Disable macros on documents like MS Excel, MS PowerPoint, MS Word, etc.
• Monitor networks including file hashes, file locations, logins and unsuccessful login attempts.
• Restrict incoming traffic and user’s permissions to maximum extent by implementing system hardening at OS, BIOS and application level.
• Always re-verify trusted user who has sent email/attachment via secondary means (call, SMS, verbal) before downloading.
• Never keep critical data on online systems and store it in standalone systems.
• Always create a back-up of critical data and store in external drives or standalone systems.