{"id":594,"date":"2019-10-22T16:19:44","date_gmt":"2019-10-22T14:19:44","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=594"},"modified":"2019-10-22T17:25:49","modified_gmt":"2019-10-22T15:25:49","slug":"new-patchwork-campaign-against-pakistan","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/new-patchwork-campaign-against-pakistan\/","title":{"rendered":"New PatchWork Spearphishing Attack"},"content":{"rendered":"\n

Recently, a somewhat more elaborated phishing has caught our attention at Lab52, it consists on a malicious office document of a real article from Samaa.tv published on 07-10-2019, one of the most important media in Pakistan. The article used in this campaign is related to the current rise of tension in the geopolitical Indian-Pakistani conflict with Kashmir. The headline of the article is: \u201cIndia to become center of extremism under Modi: AJK PM\u201d<\/em> ([1]). <\/p>\n\n\n\n

\"\"
Illustration 1: Headlines used in the Campaign<\/figcaption><\/figure><\/div>\n\n\n\n

The document, with name \u201cIndia\u2019s_Extremisms_Under_Mobi.docx\u201d and hash \u201c167062593cb9e42a404dc9c8a0347e74888712a1256731724417e6f1d411cbbb\u201d was written in English, an official language for both countries. The startling headline selected in the campaign tries to attract the attention and interest of the Pakistani and Indian people through the social fear. So the main target would be more focused to the Pakistani victims to download the malicious document. At the moment, Delhi and Islamabad claim the control of the whole Kashmir area. However, each public administration manage a concrete area of the region ([2]) ([3]). <\/p>\n\n\n\n

\"\"
Illustration 2: External Kashmir’s influence<\/figcaption><\/figure><\/div>\n\n\n\n

China is also involved in this geopolitical scenario as China is carrying out an important investment in Pakistan, especially in the \u201cChina-Pakistan Economic Corridor\u201d. A public officer from Beijing declared that if there is any unacceptable geostrategic movement from India, China would defend the legal right of Pakistan in the Kashmir\u2019s area ([3]). <\/p>\n\n\n\n

\"\"
Illustration 3: China Pakistan Economic corridor<\/figcaption><\/figure><\/div>\n\n\n\n

The economic and trade geopolitical interests of China in Pakistan are highly relevant. Currently, it is relevant the investments of China in Pakistan to keep developing the China & Pakistan economic which will join to the OBOR\u2019s route until the Gwadar and Karachi Port ([4]). The Indian claim to control of the whole Kashmir area, means an important approach of India to the Economic Corridor of China-Pakistan, this geopolitical situation provokes discomfort to both partners as their logistical project would be in danger to be disrupted. As it is showed; China, Pakistan and India are showing more interests in the Kashmir area.<\/p>\n\n\n\n

The document appeared in public sources around 15-10-2019 and the internal data of the document dates from the 12-10-2019 so it seems a recent campaign. When the document is opened, the MSOffice Word editor process is constantly suspended and acts in an unstable way. Analyzing in depth the document, it can be observed that it contains a file called image1.eps that corresponds to a Flash element of the document that exploits the adobe Flash vulnerability known as \u201cCVE-2017-0261\u201d.<\/p>\n\n\n\n

\"\"
Illustration 4: Dropped files by the document<\/figcaption><\/figure><\/div>\n\n\n\n

The exploit executed by the document contains a shellcode that dumps into the folder \u201cC:\\ProgramData\\Microsoft\\DeviceSync\u201d 3 executable files, two of them related to VMWare, and one named \u201cMSBuild.exe\u201d. After creating these files, the shellcode runs the binary named \u201cVMWareCplLauncher.exe\u201d..<\/strong><\/p>\n\n\n\n

As described in this Unit42 report [6], the executable \u201cVMWareCplLauncher.exe\u201d is a signed binary from VMWare and the DLL is also a legitimate part of VMWare, which is automatically loaded by the executable, and has been modified to create in this case two scheduled tasks:<\/p>\n\n\n\n

\"\"
Illustration 5: Tasks created by VMWareCplLauncher.exe<\/figcaption><\/figure><\/div>\n\n\n\n
\"\"
Illustration 6: Second binary path<\/figcaption><\/figure><\/div>\n\n\n\n

The first task, points to the yet seen executable \u201cMSBuild.exe\u201d and the second to a binary that isn\u2019t generated at any time of the infection and that could point to a next stage of infection that may be downloaded after a \u201crecon\u201d of the infected machine made by this fist stage. After a minute, the task programmed with the name \u201cWindows Update\u2026\u201d launches the MSBuild.exe binary, which consists of a first stage trojan, with a multitude of capabilities described below.<\/p>\n\n\n\n

This sample contacts the domain “yetwq.twilightparadox.com” through the HTTP protocol to which constantly sends information collected from the victim computer, together with the parameter “crc=e3a6” which is “hardcoded” in its logic.<\/p>\n\n\n\n

\"\"
Illustration 7: Malware traffic with it’s C2<\/figcaption><\/figure><\/div>\n\n\n\n

The response of the server is checked in its logic, in search of one of the following numbers \u201c4, 5, 8, 13, 23, 33\u201d which correspond to different commands related to the download and execution of other binaries, keyboard monitoring, sending screenshots to the command and control server or theft of files with the following list of extensions: \u201cdoc:docx:pdf:ppt:pptx:jpg:jpeg:png:rtf:txt:7z:rar:zip:docm:msg:wps:xps:pptm\u201d.<\/p>\n\n\n\n

\"\"
Illustration 8: Command switch\/case on the sample<\/figcaption><\/figure><\/div>\n\n\n\n

Both\nits capabilities and its code are practically the same as those\ndescribed by Unit42 in reference to the BadNews threat. In the same\nway, the TTPs of the entire infection chain coincide with those\ndescribed in several reports in relation to campaigns that have been\nattributed to the Patchwork group also known as \u201cDropping Elephant\u201d\nor \u201cAPT-C-09\u201d. \n<\/p>\n\n\n\n

Furthermore, due to the characteristics of the campaign and the current geopolitical scenario in the area, it seems that its main targets could be located in Pakistan and would be linked to the Chinese-Pakistani Economic Corridor (CPEC) route.<\/p>\n\n\n\n

IOCs:<\/p>\n\n\n\n
167062593cb9e42a404dc9c8a0347e74888712a1256731724417e6f1d411cbbb<\/td><\/tr>
6b656dc98773255cbc3592122db6487326e39b8e01966cca174dde87e72f82ec<\/td><\/tr>
5f5a1af57872610aa692ee3d0fba4a0171c2ec1a8cc3cf45f21f52caa2ab9041<\/td><\/tr>
31c913899d50d78f2d7d9657e7534bd36819ec9571566216f1c963bf605417f7<\/td><\/tr>
yetwq.twilightparadox.com<\/td><\/tr>
185.161.208.252<\/td><\/tr><\/tbody><\/table>\n\n\n\n

References:<\/p>\n\n\n\n

[1] https:\/\/www.samaa.tv\/news\/2019\/10\/india-to-become-center-of-extremism-under-modi-ajk-pm\/<\/a> <\/p>\n\n\n\n

[2] https:\/\/www.bbc.com\/news\/world-asia-india-49737886<\/a><\/p>\n\n\n\n

[3]\nhttps:\/\/www.dw.com\/en\/pakistan-thanks-china-for-support-on-kashmir-issue\/a-50745277<\/a><\/p>\n\n\n\n

[4]https:\/\/www.dw.com\/en\/belt-and-road-forum-is-the-china-pakistan-economic-corridor-failing\/a-48473486<\/a><\/p>\n\n\n\n

[5]\nhttps:\/\/attack.mitre.org\/groups\/G0040\/<\/a><\/p>\n\n\n\n

[6]\nhttps:\/\/unit42.paloaltonetworks.com\/unit42-patchwork-continues-deliver-badnews-indian-subcontinent\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Recently, a somewhat more elaborated phishing has caught our attention at Lab52, it consists on a malicious office document of a real article from Samaa.tv published on 07-10-2019, one of the most important media in Pakistan. The article used in this campaign is related to the current rise of tension in the geopolitical Indian-Pakistani conflict […]<\/p>\n","protected":false},"author":5,"featured_media":608,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[3],"tags":[],"class_list":{"0":"post-594","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apts","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/10\/patch-2-600x400.jpeg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/10\/patch-2-600x580.jpeg","author_info":{"display_name":"JagaimoKawaii","author_link":"https:\/\/lab52.io\/blog\/author\/jagaimokawaii\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/594"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=594"}],"version-history":[{"count":12,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/594\/revisions"}],"predecessor-version":[{"id":613,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/594\/revisions\/613"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/608"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}