Patchwork Hackers Target Bhutan with Advanced Brute Ratel C4 Too

The threat actor identified as Patchwork has been linked to a recent cyber attack targeting organizations connected to Bhutan. This attack involved the deployment of the Brute Ratel C4 framework and an updated backdoor known as PGoShell.

Brute Ratel C4 is developed by Indian security researcher Chetan Nayak, formerly of Mandiant and Crowdstrike.In early 2019, Chetan joined the Mandiant division of FireEye as a Senior Red Team Consultant. He performed several Red Team engagements, Pentests and Adversary Simulation. He also performed a few cases of Incident Response till late 2020.

This marks the first time Patchwork has been observed using this red teaming software, according to an analysis by the Knownsec 404 Team released last week.

The group, also referred to as APT-C-09, Dropping Elephant, Operation Hangover, Viceroy Tiger, and Zinc Emerson, is a state-sponsored actor likely originating from India.

Patchwork is known for its spear-phishing and watering hole attacks against China and Pakistan and has been active since at least 2009, as noted by Chinese cybersecurity firm QiAnXin.

In July of last year, Knownsec 404 revealed details of an espionage campaign targeting universities and research institutions in China. This campaign used a .NET-based implant called EyeShell to execute commands from an attacker-controlled server, run additional payloads, and capture screenshots.

Earlier this February, it was discovered that the group had used romance-themed lures to infect victims in Pakistan and India, compromising their Android devices with a remote access trojan named VajraSpy.

The latest attack begins with a Windows shortcut (LNK) file designed to download a fake PDF document from a remote domain posing as the UNFCCC-backed Adaptation Fund. Simultaneously, it deploys Brute Ratel C4 and PGoShell, which are retrieved from a different domain (“beijingtv[.]org”).

“PGoShell, developed in the Go programming language, provides a range of functionalities including remote shell access, screen capture, and the ability to download and execute additional payloads,” the cybersecurity firm explained.

This development follows recent activity by APT-K-47, another threat actor with tactical overlaps with SideWinder, Patchwork, Confucius, and Bitter. APT-K-47 has been linked to attacks involving ORPCBackdoor and previously undocumented malware such as WalkerShell, DemoTrySpy, and NixBackdoor, used to gather data and execute shellcode.

The attacks are also significant for employing the open-source command-and-control (C2) framework Nimbo-C2, which “provides a wide range of remote control capabilities,” according to Knownsec 404.

Previously,it has been observed that the Indian intelligence firm Phronesis, which executed operations like Dropping Elephant and Monsoon, have also been linked to run the Patchwork operation on several targets in the Indian subcontinent.

Phronesis is a cyber-intelligence firm developed by security experts, Retd. Brigadier Prabhakar, Bryan Miranda, and Ram Chander Chhillar, with expertise in OffSec Playground and Cyph3r, making it one of the favorites among firms for executing offensive cybersecurity missions.