BADNEWS

BADNEWS is a backdoor Trojan that was used in several attack campaigns carried out by the Patchwork group, an Advanced Persistent Threat actor that targets Indian users frequently. The BADNEWS Trojan has been around for over two years, but it has received an update recently, which strengthens its abilities to evade sandbox environments and anti-virus engines, as well as carry out additional tasks on the compromised computer. The Patchwork group also is known by the names Dropping Elephant or Monsoon.

The Patchwork Group Continues to Improve the BADNEWS Backdoor

The latest campaign that involves the use of the BADNEWS backdoor Trojan is carried out with the help of spear-phishing emails whose subjects and contents are tailored to attract the interest of the recipients – the decoy documents may claim to contain information about the Pakistan Ministry of Interior or Pakistan Atomic energy Commission. The documents have a macro script embed into them that attempts to exploit the Microsoft Office vulnerabilities CVE-2015-2545 and CVE-2017-0261.

BADNEWS is meant to serve as a reconnaissance and data exfiltration tool that also provides attackers with the ability to execute commands on the remote host and upload additional payloads. On command, BADNEWS can scan all hard disk partitions and look for files that use the extensions; .xls, .xlsx, .doc, .docx, .ppt, .pptx and .pdf. The files are then uploaded to a Command & Control server via an HTTP request. The operators of the BADNEWS backdoor can execute a wide range of commands on the compromised host, enable a keylogger, and take screenshots of the desktop.

Patchwork is not the most relevant Advanced Persistent Threat (APT) group, but their attacks are still remarkable – they use custom-built malware and have inside information that helps them craft legit-looking decoy documents that get sent to their victims definitely.