A threat actor known as Patchwork has been found to be involved in cyber attacks targeting organisations with links to Bhutan, delivering updated versions of the Brute Ratel C4 framework and a backdoor called PGoShell.
In an analysis published last week, the Knownsec 404 team said the deployment marks the first time they’ve observed attackers using red teaming software.
This activity cluster, also known as APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger and Zinc Emerson, is a state-sponsored actor believed to be of Indian origin.
The hacker group, known for conducting spear phishing and watering hole attacks against China and Pakistan, is believed to have been active since at least 2009, according to data shared by Chinese cybersecurity firm QiAnXin.
Last July, Knownsec 404 published details of an espionage campaign targeting Chinese universities and research institutes that utilized a .NET-based implant codenamed EyeShell to retrieve and execute commands from attacker-controlled servers, execute additional payloads, and capture screenshots.
Then, in early February this year, it was discovered that the threat actors were using romance-themed lures to lure victims in Pakistan and India to compromise Android devices with a remote access trojan called VajraSpy.
The latest observed attack chain starts with a Windows shortcut (LNK) file designed to download a decoy PDF document from a remote domain impersonating the UNFCCC-backed Adaptation Fund, then covertly deploy Brute Ratel C4 and PGoShell obtained from another domain (“beijingtv(.)org”).
“PGoShell is developed in the Go programming language and, overall, offers a rich set of features, including remote shell capabilities, screen capture, and the downloading and execution of payloads,” the cybersecurity firm said.
This development comes several months after APT-K-47, another threat actor with tactical overlaps with SideWinder, Patchwork, Confucius, and Bitter, was alleged to have carried out attacks using ORPCBackdoor and previously undocumented malware such as WalkerShell, DemoTrySpy, and NixBackdoor to collect data and execute shellcode.
According to Knownsec 404, the attack is also notable for deploying an open source command and control (C2) framework called Nimbo-C2, which “enables a wide range of remote control capabilities.”
