HQ/EMEAFind out how we can help your business
The Patchwork hacking group currently targets Chinese universities and organisations in its latest cybercriminal campaign. Based on reports, the group leverages a backdoor called EyeShell to infect these Chinese entities.
Researchers stated that this hacking group has operated since December 2015 and has a background of working for the Indian government. Moreover, the group is notorious for exclusively attacking China and Pakistan with numerous implants, such as BADNEWS, through spear-phishing and watering hole campaigns.
In addition, some researchers claimed that this India-affiliated through has connections to other cyberespionage groups like the DoNot Team and SideWinder since it shares overlaps with its attack capabilities and strategies.
The Patchwork group employ tactics that could deceive its targets.
According to investigations, the Patchwork group heavily relies on various developed identities that could lure targeted users into clicking malicious links and downloading malicious apps through social engineering tactics.
Researchers explained that these apps include several basic malicious functionalities with access to user data that relies on legitimate app permissions allowed by the end user. Additionally, the Patchwork group generated a fake review website for chat applications. In the phoney review website, they listed the top five communication applications, including their attacker-controlled app, as the highest.
Furthermore, the attackers have also used other names, such as ModifiedElephant, in their other malicious operations. The attackers used the name when they targeted a particular group of individuals, such as human rights activists, lawyers, and academics across India. They include these attacks to conduct long-term surveillance on the targeted by planting incriminating digital evidence related to the 2018 2018 Bhima Koregaon violence incident.
Lastly, the researchers explained that the actors used a dot net-based modular backdoor called EyeShell. The malware includes capabilities such as command execution, remote command-and-control server, and download and upload files. The actors use the downloaded files to execute other abilities, such as specifying targeted archives, deleting documents, and capturing screenshots.
Cybersecurity experts continue to warn everyone about the risks posed by suspicious emails from unknown senders. Users should refrain from clinking links within unsolicited emails to mitigate the attacks from threat actors.
