The Advanced Threat Intelligence Team, Knownsec 404, recently uncovered a sophisticated attack targeting Bhutanese entities by the Patchwork group. This APT group has upgraded its tools, employing the Go-based backdoor known as PGoShell and the Brute Ratel C4 red team tool. The attack leverages a deceptive PDF link file, which, when interacted with, downloads both decoy files and malicious payloads.
Patchwork, which has historically targeted government and research organizations in East and South Asia, has significantly enhanced its arsenal. The new attack method uses an illusory PDF link to distribute two payloads: edputil.dll, which is a loader for Brute Ratel C4, and Winver.exe. The edputil.dll file employs anti-debugging techniques and custom API calls, while Brute Ratel C4 integrates features like file management, port scanning, and screen capture, demonstrating the sophistication of the attack.
The PGoShell malware, another component of the attack, includes advanced features such as a remote shell, screen capture, and payload execution. It uses RC4 encryption and base64 encoding for data obfuscation and gathers extensive host information, including IP geolocation. The malware also ensures persistence through registry modifications and other techniques.
This operation reflects Patchwork’s evolving tactics and increased technical capability. By adopting Brute Ratel C4 and enhancing PGoShell, the group showcases a more advanced and adaptable approach to cyber operations, posing significant future threats.