Threat Research

“Nexe Backdoor Unleashed: Patchwork APT Group’s Advanced Evasion Tactics”

Cyble

The Patchwork APT group has launched a sophisticated campaign targeting Chinese entities and Bhutan, using malicious LNK files and DLL sideloading to deploy the Nexe backdoor while evading detection. The operation culminates in data collection and exfiltration via a C2 channel, with new evasion techniques demonstrated. #NexeBackdoor #Patchwork

Keypoints

  • Patchwork APT continues operations against Chinese and Bhutanese entities in South/Southeast Asia.
  • Malicious LNK files are used as the initial infection vector, typically delivered via phishing emails.
  • The campaign relies on DLL sideloading to run malicious payloads while masking activity.
  • AMSIscanBuffer and ETWEventWrite APIs are modified to evade detection by security tools.
  • The final payload collects system information and transmits it to a command-and-control server.
  • A new Nexe Backdoor variant has been identified, showcasing advanced evasion and in-memory execution techniques.
  • Recommendations emphasize strong email filtering and monitoring for data exfiltration.

MITRE Techniques

  • [T1660] Phishing – Malicious distribution via phishing site. – “Malware distribution via phishing site.”
  • [T1204] User Execution – Manual execution by the user. – “Manual execution by the user.”
  • [T1036.008] Masquerading – LNK file disguised as a legitimate PDF file. – “LNK file disguised as a legitimate PDF file.”
  • [T1574.002] DLL Side-Loading – Adversaries may execute their own malicious payloads by side-loading DLLs. – “Adversaries may execute their own malicious payloads by side-loading DLLs.”
  • [T1055] Process Injection – Injects malicious code into werfaultsecure.exe. – “Injects malicious code into werfaultsecure.exe.”
  • [T1082] System Information Discovery – Queries the system information. – “Queries the system information.”
  • [T1071] Application Layer Protocol – Malware communicates to C&C server. – “Malware communicates to C&C server.”
  • [T1041] Exfiltration Over C2 Channel – Exfiltration Over C2 Channel. – “Exfiltration Over C2 Channel.”

Indicators of Compromise

  • [SHA256] Malicious LNK file and related components – d7b278d20f47203da07c33f646844e74cb690ed802f2ba27a74e216368df7db9, and 2 more hashes
  • [SHA256] Malicious DLL file – ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e31
  • [SHA256] Decoy PDF – fe503708d7969e65e9437b56b6559bc9b6bb7f46f3be5022db9406579592670d
  • [SHA256] LNK used to target Bhutan (long hash string) – f6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58, 14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a, c3805b8b37eb1ba34057cd6c882dc9bedcebc01ec90a6d4be8d0f6fc82859ecb
  • [SHA256] LNK targeting Chinese entities – c6398b5ca98e0da75c7d1ec937507640037ce3f3c66e074c50a680395ecf5eae
  • [URL] Remote servers – hxxps://shianchi.scapematic.info/jhgfd/jkhxvcf, hxxps://jihang.scapematic.info/eqhgrh/uybvjxosg
  • [Domain] C2 domain – iceandfire.xyz

Read more: https://cyble.com

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint