Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Patchwork attacks Bhutan.
Recently, the Knownsec 404 Advanced Threat Intelligence team identified suspicious activity by the Patchwork group targeting Bhutan. The attack used an updated backdoor in the Go language, known as PGoShell, as well as a new hacking tool — Brute Ratel C4. This event highlights the group's commitment to technological improvement.
Patchwork continues to develop its technologies and methods, which makes their attacks more complex and difficult to detect. This requires target organizations to strengthen cybersecurity measures and constantly monitor suspicious activity in their networks.
Source
Recently, the Knownsec 404 Advanced Threat Intelligence team identified suspicious activity by the Patchwork group targeting Bhutan. The attack used an updated backdoor in the Go language, known as PGoShell, as well as a new hacking tool — Brute Ratel C4. This event highlights the group's commitment to technological improvement.
Overview of Patchwork activities
Patchwork, also known as Dropping Elephant, has been active since 2014, targeting government, defense, and diplomatic organizations, as well as universities and research institutions in East and South Asia.Nature of the attack
The attack started with the distribution of a trap file in the format .lnk called Large_Innovation_Project_for_Bhutan. pdf.lnk. This file looked like a PDF document, but when launched, it loaded and executed several malicious components. In particular, the following files were downloaded:- The document is a trap for distracting users attention.
- Malicious Library edputil.dll posing as a legitimate file.
- File Winver.exe used for further distribution of malware.
Tools and methods
Brute Ratel C4
Brute Ratel C4 is a new tool used by attackers to manage file systems, scan ports, upload and download files, and capture screen images. During the attack, this tool was loaded into memory, which made it more difficult for security tools to detect it. Bypassing traditional protection mechanisms was achieved by using sophisticated methods of anti-virtualization and anti-debugging.PGoShell
PGoShell, developed in the Go language, has been significantly improved. It now supports remote management, screen capture, and performing downloads. The tool collects information about the system, including the IP address, OS version, user name, and processor architecture, and then transmits this data to the attackers server. All transmitted information is encrypted using the RC4 algorithm and encoded in base64.Conclusions
This attack highlights the growing capabilities of the Patchwork Group, which is actively updating its tools and methods. The use of Brute Ratel C4 and improved PGoShell demonstrates the high level of training and equipment of the group.Patchwork continues to develop its technologies and methods, which makes their attacks more complex and difficult to detect. This requires target organizations to strengthen cybersecurity measures and constantly monitor suspicious activity in their networks.
Source
