Connect with us

Hi, what are you looking for?


Malware & Threats

Patchwork Cyberspies Update the Badnews Backdoor

Recent infection campaigns conducted by the Patchwork cyberespionage group have revealed the use of an EPS exploit and an updated backdoor, Palo Alto Networks reports.

Recent infection campaigns conducted by the Patchwork cyberespionage group have revealed the use of an EPS exploit and an updated backdoor, Palo Alto Networks reports.

Believed to have been active since 2014, Patchwork, also known as Dropping Elephant or Chinastrats, is said to be operating out of the Indian subcontinent. The group was initially observed targeting government-associated organizations connected to Southeast Asia and the South China Sea, but it recently expanded the target list to include multiple industries.

In an extensive December 2017 report, Trend Micro revealed that the actor had adopted new exploit techniques and that it also added businesses to its list of targets.

Patchwork campaigns Palo Alto Networks has observed over the past few months have been targeting entities in the Indian subcontinent and revealed the use of legitimate but malicious documents to deliver an updated BADNEWS payload.

The malware, which has been updated since the last public report in December 2017, provides attackers with full control over the victim machine and is known to abuse legitimate third-party websites for command and control (C&C). The new version shows changes in the manner the C&C server information is fetched, as well as modifications to its communication routine.

The campaigns featured malicious documents with embedded EPS files targeting two vulnerabilities in Microsoft Office, namely CVE-2015-2545 and CVE-2017-0261. As lures, the attackers used documents of interest to Pakistani nuclear organizations and the Pakistani military.

When executed, shellcode embedded within the malicious EPS drops three files: VMwareCplLauncher.exe (a legitimate, signed VMware executable to deliver the payload), vmtools.dll (a modified DLL to ensure persistence and load the malware), and MSBuild.exe (which is the BADNEWS backdoor itself).

Advertisement. Scroll to continue reading.

VMwareCplLauncher.exe is executed first, to load the vmtools.dll DLL, which in turn creates a scheduled task to attempt to run the malicious, spoofed MSBuild.exe every subsequent minute.

Once up and running on the infected machine, the backdoor communicates with the C&C over HTTP and allows attackers to download and execute files, upload documents of interest, and take screenshots of the desktop.

The recently observed variation of the backdoor sets a new mutex to ensure only one instance of the backdoor is running, and also uses different filenames from the previous versions. The manner in which the C&C information stored via dead drop resolvers is obfuscated has been changed as well, the security researchers say.

Although it performs many of the functions associated with previous versions, the new variant no longer searches USB drives for files that might be of interest. When preparing C&C communication, the malware aggregates victim information and appends it to two strings.

The C&C communication has been updated as well, now offering support for commands such as kill (the backdoor); upload a file containing the list of interesting files and spawn a new instance of Badnews; upload a specified file; upload a file containing the list of collected keystrokes; copy a file to a .tmp and send it to the C&C; take a screenshot and send it to the C&C; and download a file and execute it.

“The Patchwork group continues to plague victims located within the Indian subcontinent. Through the use of relatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent organizations and individuals to further their goals. Recent activity has shown a number of lures related to the Pakistan Army, the Pakistan Atomic Energy Commission, as well as the Ministry of the Interior,” Palo Alto concludes.

Related: Patchwork Cyberspies Adopt New Exploit Techniques

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...