Patchwork APT Targets Chinese Scientific Research in Renewed Campaign


### #IntellectualPropertyTheft #AdvancedPersistentThreats #CyberEspionage

Summary: A new wave of cyberattacks targeting Chinese scientific organizations has been identified, attributed to the Patchwork APT group, which employs sophisticated malware and tactics to exfiltrate sensitive data. This campaign highlights a refined methodology and a persistent interest in acquiring intellectual property related to scientific research.

Threat Actor: Patchwork APT | Patchwork
Victim: Chinese scientific organizations | Chinese scientific organizations

Key Point :

  • The attack begins with a spear-phishing email containing a malicious LNK file disguised as a relevant document.
  • Upon execution, the LNK file triggers a multi-stage malware delivery process while displaying a benign PDF to avoid detection.
  • The primary payload, BadNews malware, establishes a secure C2 communication channel for data exfiltration.
  • Counterfeit domains mimicking legitimate websites were used to host additional malware and facilitate data theft.
  • Organizations are urged to update security frameworks and utilize advanced threat analysis tools to combat such sophisticated attacks.

A new wave of cyberattacks targeting Chinese scientific organizations has been identified by cybersecurity researchers at Hunting Shadow Lab. The campaign, attributed to the Patchwork APT group (also known as Hangover and Dropping Elephant), leverages sophisticated malware and evasive techniques to compromise workstations and exfiltrate sensitive data.

Patchwork, believed to be operating with support from Indian authorities, has a long history of cyber espionage activity dating back to 2009. While their previous campaigns have focused on government agencies and scientific institutions across Asia, this latest operation demonstrates a refined methodology and a continued interest in acquiring intellectual property related to scientific research.

The attack chain commences with a spear-phishing email containing a malicious LNK file disguised as a document relevant to ongoing Chinese research projects. Upon execution, the LNK file initiates a multi-stage malware delivery process. To avoid raising suspicion, a benign PDF document is displayed while malicious EXE and DLL files are discreetly downloaded and executed in the background.

The primary payload delivered in this campaign is the BadNews malware, a sophisticated backdoor designed for stealth and persistence. To evade detection, the malware employs multiple layers of obfuscation, including encryption and the use of previously observed digital certificates. Once active, BadNews establishes a secure communication channel with a command-and-control (C2) server, enabling the attackers to exfiltrate sensitive data and issue further commands.

Adding to the complexity of this campaign is the use of counterfeit domains mimicking legitimate websites. Researchers identified fraudulent versions of websites belonging to Pakistan International Airlines, Zong (a Pakistani telecommunications provider), Global News, and Scandinavian Airlines. These domains were used to host additional malware and facilitate data exfiltration, leveraging the trust associated with these established entities.

It is imperative for organizations to proactively update their security frameworks, integrate current Indicators of Compromise (IoCs), and leverage advanced threat analysis tools. Additionally, utilizing cloud-based services for analyzing suspicious files can significantly enhance defenses against such attacks.

Related Posts:

Source: https://securityonline.info/patchwork-apt-targets-chinese-scientific-research-in-renewed-campaign