Summary: The Knownsec 404 Advanced Threat Intelligence Team has identified a new attack by the Patchwork group targeting Bhutan, utilizing an enhanced Go language backdoor called PGoShell and the red team tool Brute Ratel C4. This attack marks a significant update in the group’s arsenal, showcasing their continuous technological advancements and targeting strategies.
Threat Actor: Patchwork (Dropping Elephant) | Patchwork
Victim: Bhutan | Bhutan
Key Point :
- The attack employed a decoy document related to a project proposal for Bhutan to lure victims.
- Brute Ratel C4 was used for the first time by Patchwork, demonstrating their evolving tactics and capabilities.
- PGoShell has been significantly enhanced, providing advanced functionalities for remote operations and data exfiltration.
- The attack’s execution process involved sophisticated techniques to evade detection, including in-memory loading and anti-debugging measures.
Author:K&XWS@Knownsec 404 Team
Chinese version: https://paper.seebug.org/3199/
1 Overview
Recently, Knownsec 404 Advanced Threat Intelligence Team has detected a suspected attack by the Patchwork group targeting Bhutan. This sample not only loads the repeatedly discovered Go language backdoor (referred to as “PGoShell”) but also significantly enhances its functionality. Additionally, for the first time, the sample uses the red team tool Brute Ratel C4, marking a notable recent update to their arsenal. Over the past two years, the Patchwork group has demonstrated greater enthusiasm for technological advancements compared to other similar groups, continually updating its arsenal and loading methods. To date, over 10 different types of trojans and loading methods used by the group have been identified. The following is an analysis and description of this recent discovery.
2 Background of the organization
Patchwork (also known as Dropping Elephant) is a highly active advanced persistent threat (APT) group that has been operating since 2014. Patchwork primarily targets government, defense, and diplomatic organizations, as well as universities and research institutions in East Asia and South Asia.
3 Chains of attack
4 Synthesis of samples
The sample captured this time is a Lnk file, primarily designed to download decoy files and subsequent payloads. Analysis of the payload revealed that this attack employed weapons including PGoShell and the red team framework Brute Ratel C4. Details are as follows.
4.1 Lnk Analysis Description
The name of lnk file is Large_Innovation_Project_for_Bhutan.pdf.lnk , When users do not display file extensions, it is highly likely that they might mistake executable files for PDF documents. Additionally, when executing a .lnk file, any script parameters contained within the .lnk file will also execute.
The parameter contains the following operations:
1.Operation 1:
Access and download the file from uri (hxxps://adaptation-funds.org/documents/Large_Innovation_Project_for_Bhutan.pdf) to the local directory C:UsersPublicLarge_Innovation_Project_for_Bhutan.pdf
. This file is a decoy document. After the download is complete, execute the file.
The decoy document contains a project proposal for Bhutan by the Adaptation Fund Board, suspected to be targeting organizations and individuals associated with Bhutan.
2.Operation 2:
Access and download the data from uri (hxxps://beijingtv.org/wpytd52vDw/brtd2389aw) to the local directory C:UsersPublichal
, and rename it to C:UsersPublicedputil.dll
. Note that the domain name appears to be impersonating Beijing TV station.
3.Operation 3:
Access and download the data from uri (hxxps://beijingtv.org/ogQas32xzsy6/fRgt9azswq1e) to the local directory C:UsersPublicsam
, and rename it to C:UsersPublicWinver.exe
.
4.Operation 4:
Copy resmon.exe from the system directory to C:UsersPublicresmon.exe, create a scheduled task named “MicroUpdate” that runs every minute, with the target set to C:UsersPublicresmon.exe. Create another scheduled task named “MicroUppdate” that also runs every minute, with the target set to C:UsersPublicWinver.exe. Eventually, delete the LNK file.
4.2 Analysis of Brute Ratel C4 (edputil.dll)
4.2.1 Brute Ratel C4 loader analysis description
resmon.exe is a system file , After it runs, edputil.dll will load. Following Windows’ default loading behavior, edputil.dll located in the same directory as resmon.exe will be loaded. Additionally, edputil.dll is packed using Themida:
Eventually, resmon.exe loads the exported function EdpGetIsManaged from edputil.dll.
The main function exported by EdpGetIsManaged is to serve as the Brute Ratel C4 loader. Attackers first utilize a custom hash algorithm to obtain api addresses:
To achieve objectives of unhooking and anti-debugging, attackers will obtain the system call number corresponding to the function, then locate the address of the “syscall” instruction. For example, in the case of the NtProtectVirtualMemory function, the system call number is “0x50”:
Subsequently, if there’s a need to call NtProtectVirtualMemory, you simply pass the system call number (0x50) into EAX , and then invoke the address of the “syscall” instruction to execute the function. By using this calling method, traditional breakpoint mechanisms become ineffective:
Write shellcode into allocated memory, change the protection of the newly allocated memory, and create a thread using NtCreateThreadEx to execute it:
The primary function of the shellcode is to load the final payload (Brute Ratel C4). It begins by performing debugger detection, then compares the value of NtGlobalFlag in the Process Environment Block (PEB). If the value is 0x70, it will terminate execution:
Obtain the addresses of APIs needed for subsequent use:
Next, perform a system time check. if the current system time exceeds the hardcoded timestamp (0x66c0666d), terminate execution:
Decrypt the filename (chakra.dll) using the RC4 algorithm, which serves as the carrier for Brute Ratel C4:
After loading chakra.dll, the final payload Brute Ratel C4, with the “MZ” header removed, is written into the address space of chakra.dll. Subsequently, it simulates the loading of Brute Ratel C4:
Obtain the Original Entry Point (OEP) and perform a jump to execute it, ultimately running the Brute Ratel C4 payload:
4.2.2 Brief description of Brute Ratel C4
Brute Ratel C4 is a red team framework seen as an alternative to Cobalt Strike. This framework enables functionalities such as file management, port scanning, file upload and download, screen capture, etc. Below is a screenshot of the configuration for this payload, with configurations separated by “|”.
4.3 Analysis of PGoShell (Winver.exe)
PGoShell is developed in the Go programming language, overall, it offers a rich set of functionalities, including remote shell capabilities, screen capture, and downloading and executing payloads.It was initially named for its primary feature of remote shell capability. Below are detailed reverse engineering analysis findings related to it:
Initialize URI, RC4 key, User-Agent. In this sample, the RC4 key is “0g8RXt137ODBeqPhTv2XYjgmnxUsijfc”.
Detect if HKCUSoftwareMicrosoftWinTemp exists, if it does, retrieve the value corresponding to the temp key. If it does not exist, generate a random string, encrypt it using RC4 followed by base64 encoding, and write this encrypted value. This value will serve as the ID to be uploaded to the server.
Upon entering the information collection and interaction module, PGoShell first attempts to gather host information including hostname, username, current public IP address of the host, country information based on IP (obtained from querying ip-api.com), current system version, current execution path, process PID, and PROCESSOR_ARCHITECTURE information. Once collected successfully, it concatenates this data, separating each piece of information with “||”.
All data obtained by PGoShell is encoded using RC4 followed by base64 encoding.(main_AESENC function in the screenshot is designed to confuse analysts; internally, it actually uses RC4 followed by base64 encoding):
Subsequently, the concatenated data is sent to the server, and data is retrieved from the server using the POST method for both online information and interaction uploads.
Some of the PGoShell functions are listed in the table below:
5 Summary
The captured attack activity primarily used a proposal from the Adaptation Fund Board regarding a project in Bhutan as bait, targeting entities suspected to be related to Bhutan. In this attack campaign, Patchwork organization was observed using Brute Ratel C4 as their weapon for the first time.The entire loading and execution process of Brute Ratel C4 involves pure in-memory loading, effectively evading detection by endpoint security measures. Throughout the loading process, it repeatedly engages in anti-debugging and unhooking operations, and enforces execution cycle restrictions. This indicates that the organization is actively expanding its arsenal. According to online sources, the author of Brute Ratel C4 is reportedly from India.
Currently, the price of this tool is $3000 USD, and Patchwork organization may potentially receive a discount when purchasing it.
Furthermore, we have observed significant expansion in the functionality of PGoShell used in this instance, making it more advanced compared to previously discovered attack samples. As a homegrown backdoor tool of this organization, PGoShell has undergone extensive feature updates, underscoring its critical importance to the Patchwork organization.We have reason to believe that PGoShell has helped Patchwork achieve significant success in past attack campaigns. In the future, the organization may increasingly utilize this tool to launch further attacks.
6 IOC
C2:
Beijingtv[.]org
Cartmizer[.]info
longwang.b-cdn[.]net