Tuesday, November 12, 2024
Homecyber securityPatchwork Actors Using Weaponized Encrypted Zip Files to Attack Orgs

Patchwork Actors Using Weaponized Encrypted Zip Files to Attack Orgs

Published on

Malware protection

The cyber espionage group Patchwork, also known by various aliases, has been active since 2009, primarily targeting Asian organizations in sectors such as government, military, and industry. 

Based in South Asia, the group has been conducting cyber-espionage campaigns for over a decade, and their activities have focused on compromising sensitive information from their targets, highlighting the group’s persistent threat to the region’s cybersecurity landscape.

Recently, a new variant was discovered that distributed two steganographic components for screenshotting and file information collection. While the Spyder downloader’s core functionality remains unchanged, the code structure and C&C communication format have been modified. 

- Advertisement - SIEM as a Service

The attack process involves the Spyder downloader remotely downloading encrypted ZIP packages containing subsequent components and executing them.

The steganographic components, hidden within the downloaded files, are used to capture screenshots and gather file information, potentially compromising sensitive data.

attack process of the Spyder downloader and the steganographic components 
attack process of the Spyder downloader and the steganographic components 

The samples indicate the presence of three potentially malicious files. “eac_launcher.exe” is a spyware downloader identified by its MD5 hash. “IntelPieService.exe” is a screenshot component that could be used for unauthorized data collection. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

“RstMwService.exe” is a file decryption component, suggesting its potential involvement in ransomware activities, which were compiled at various times between February and June 2024 and have been associated with malicious activities.

It disguises itself as a Word document and injects configuration data directly into the code, unlike previous versions that encrypted it, by utilizing traffic spoofing techniques to mimic traffic to legitimate websites like Google APIs and Github. 

 .text segments of multiple system DLLs
 .text segments of multiple system DLLs

It also attempts to tamper with system DLLs and schedules self-replication tasks. Communication with the command and control server (“C2”) involves sending a Base64-encoded JSON string with the machine’s unique identifier and a potentially version-related string. 

This initial contact determines if the downloader should gather information about the infected device and potentially download additional components. 

The malware first checks with the C2 server to see if it needs to collect device information. If yes, it collects the hostname, user ID, OS version, and antivirus information and sends it back. 

Then it enters a loop, generating fake traffic and querying the C2 server again, and if the response indicates new components, it extracts the download category, zip name, and password from the response. 

 contents of the middle field decrypting in CyberChef
 contents of the middle field decrypting in CyberChef

It constructs a download request and retrieves the zip file containing the components by extracting the components to a specific directory and executing them using CreateProcessW.  

Spyder Downloader, a tool used by Patchwork Group, delivers two steganographic components with separate functionalities. The first component, IntelPieService.exe, captures screenshots and sends them to a server, while the second component, RstMwService.exe, steals file information and stores it in a local database. 

According to the QiAnXin Threat Intelligence Center, both components share the same digital signature and are downloaded from different C2 servers, allowing attackers to selectively deploy follow-up components based on their targets. 

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...