Patchwork Cyberspies Update the Badnews Backdoor
13.3.2018 securityweek  CyberSpy 
Virus

Recent infection campaigns conducted by the Patchwork cyberespionage group have revealed the use of an EPS exploit and an updated backdoor, Palo Alto Networks reports.

Believed to have been active since 2014, Patchwork, also known as Dropping Elephant or Chinastrats, is said to be operating out of the Indian subcontinent. The group was initially observed targeting government-associated organizations connected to Southeast Asia and the South China Sea, but it recently expanded the target list to include multiple industries.

In an extensive December 2017 report, Trend Micro revealed that the actor had adopted new exploit techniques and that it also added businesses to its list of targets.

Patchwork campaigns Palo Alto Networks has observed over the past few months have been targeting entities in the Indian subcontinent and revealed the use of legitimate but malicious documents to deliver an updated BADNEWS payload.

The malware, which has been updated since the last public report in December 2017, provides attackers with full control over the victim machine and is known to abuse legitimate third-party websites for command and control (C&C). The new version shows changes in the manner the C&C server information is fetched, as well as modifications to its communication routine.

The campaigns featured malicious documents with embedded EPS files targeting two vulnerabilities in Microsoft Office, namely CVE-2015-2545 and CVE-2017-0261. As lures, the attackers used documents of interest to Pakistani nuclear organizations and the Pakistani military.

When executed, shellcode embedded within the malicious EPS drops three files: VMwareCplLauncher.exe (a legitimate, signed VMware executable to deliver the payload), vmtools.dll (a modified DLL to ensure persistence and load the malware), and MSBuild.exe (which is the BADNEWS backdoor itself).

VMwareCplLauncher.exe is executed first, to load the vmtools.dll DLL, which in turn creates a scheduled task to attempt to run the malicious, spoofed MSBuild.exe every subsequent minute.

Once up and running on the infected machine, the backdoor communicates with the C&C over HTTP and allows attackers to download and execute files, upload documents of interest, and take screenshots of the desktop.

The recently observed variation of the backdoor sets a new mutex to ensure only one instance of the backdoor is running, and also uses different filenames from the previous versions. The manner in which the C&C information stored via dead drop resolvers is obfuscated has been changed as well, the security researchers say.

Although it performs many of the functions associated with previous versions, the new variant no longer searches USB drives for files that might be of interest. When preparing C&C communication, the malware aggregates victim information and appends it to two strings.

The C&C communication has been updated as well, now offering support for commands such as kill (the backdoor); upload a file containing the list of interesting files and spawn a new instance of Badnews; upload a specified file; upload a file containing the list of collected keystrokes; copy a file to a .tmp and send it to the C&C; take a screenshot and send it to the C&C; and download a file and execute it.

“The Patchwork group continues to plague victims located within the Indian subcontinent. Through the use of relatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent organizations and individuals to further their goals. Recent activity has shown a number of lures related to the Pakistan Army, the Pakistan Atomic Energy Commission, as well as the Ministry of the Interior,” Palo Alto concludes.