Threat actors Patchwork (Dropping Elephant) targeted Bhutan by deploying an enhanced Go-based backdoor named PGoShell alongside the red team tool Brute Ratel C4, marking the group’s first use of BR C4. The campaign leveraged a decoy Bhutan project proposal to lure victims, with in-memory loading and anti-debugging techniques to evade detection while expanding Patchwork’s arsenal.
Keypoints
- Patchwork targeted Bhutan using a decoy project proposal document to lure victims.
- Brute Ratel C4 was used by Patchwork for the first time, indicating evolving capabilities.
- PGoShell backdoor has been significantly enhanced for remote operations and data exfiltration.
- The attack employed in-memory loading and anti-debugging measures to evade detection.
- The loading/execution chain involved LNK delivery, file renaming (masquerading), and scheduled tasks for persistence.
- Beijingtv.org, Cartmizer.info, and longwang.b-cdn.net served as command-and-control or delivery indicators.
<liPatchwork’s tooling expansion suggests potential future campaigns with similar methods.
MITRE Techniques
- [T1204] User Execution – The attack employed a decoy document related to a project proposal for Bhutan to lure victims. ‘The decoy document contains a project proposal for Bhutan by the Adaptation Fund Board, suspected to be targeting organizations and individuals associated with Bhutan.’
- [T1105] Ingress Tool Transfer – Operation 2/3 downloaded payloads from remote URIs to local directories. ‘Access and download the data from uri (hxxps://beijingtv.org/wpytd52vDw/brtd2389aw) to the local directory C:UsersPublichal, and rename it to C:UsersPublicedputil.dll.’
- [T1036] Masquerading – Files were renamed to appear legitimate (e.g., edputil.dll, Winver.exe). ‘Note that the domain name appears to be impersonating Beijing TV station.’
- [T1053] Scheduled Task – The malware creates scheduled tasks MicroUpdate and MicroUppdate to run every minute. ‘Create a scheduled task named “MicroUpdate” that runs every minute, with the target set to C:UsersPublicresmon.exe. Create another scheduled task named “MicroUppdate” that also runs every minute, with the target set to C:UsersPublicWinver.exe.’
- [T1055] Process Injection – The Brute Ratel C4 loader is loaded via a shellcode path, using NtCreateThreadEx to execute it in memory. ‘Write shellcode into allocated memory, change the protection of the newly allocated memory, and create a thread using NtCreateThreadEx to execute it.’
- [T1082] System Information Discovery – PGoShell gathers host information like hostname, user, IP, country, system version, path, PID, and architecture. ‘Upon entering the information collection and interaction module, PGoShell first attempts to gather host information including hostname… PROCESSOR_ARCHITECTURE information.’
- [T1562] Impair Defenses – Anti-debugging measures are used as part of the in-memory loading/execution chain. ‘The loading process involves anti-debugging measures.’
- [T1027] Obfuscated/Compressed Files and Information – PGoShell data is RC4- and base64-encoded. ‘All data obtained by PGoShell is encoded using RC4 followed by base64 encoding.’
Indicators of Compromise
- [Domain] C2 – Beijingtv.org, Cartmizer.info, and longwang.b-cdn.net
- [FileName] Large_Innovation_Project_for_Bhutan.pdf.lnk – LNK decoy file used in operation 1
- [FileName] Winver.exe – renamed payload from operation 3
- [FileName] resmon.exe – copied as part of persistence setup
- [FileName] chakra.dll and edputil.dll – loaders/bridges within Brute Ratel C4 execution chain