Posted on July 31, 2023 at 7:53 AM

Patchwork Hackers Use Eyeshell Backdoor To Launch Hacking Campaign Against China

Threat actors linked to a hacking group known as Patchwork have launched campaigns targeting universities and research institutions based in China. The hacking campaign launched by the hacker group was only observed recently and was detected to cause significant harm to the targeted parties.

Patchwork hackers use Eyeshell backdoor to target Chinese research firms

The hacking activity conducted by this hacker group was observed by a research team known as KnownSec 404 Team. This team described using a backdoor with the EyeShell codename to conduct various hacking campaigns.

The Patchwork hacker group also goes by other names, such as Operation Hangover and Zinc Emerson. Researchers said that the hacker group is suspected to be a threat actor that operates on behalf of the Indian government.

This hacking organization is believed to have been active since around December 2015. The attack chains launched by the group have a slim focus, and they tend to target both China and Pakistan. The two entities are targeted using custom implants like BADNEWS through spear-phishing hacking campaigns.

The hacker group has also been deploying watering hole attacks to run the hacking campaign. According to the research, the adversarial collective shares similarities with other cyber-espionage hacker groups, especially those connected to India.

The hacking techniques and activity reported in the breach by Patchwork appear similar to what has been seen in other hacker groups such as DoNot Team and SideWinder. These similarities indicate that the hacker group might have links to India.

The Patchwork hacker group

Patchwork is one of the most notorious hacker groups. In May this year, social media giant Meta announced that it had shut down 50 accounts on Facebook and Instagram. These accounts were linked to the Patchwork hacker group.

The research said this hacker group exploited fake messaging apps listed on the Google Play Store app marketplace. The apps were later used to gather data from victims from Bangladesh, China, India, Pakistan, Sri Lanka, and Tibet.

The social media giant also said that the Patchwork hacker group largely relied on extensive and fake personas to conduct a social engineering attack. This attack prompted people to follow malicious links and download malicious applications.

The researchers also noted that the fake apps came with simple malicious functionality, and they granted access to user data depending on the legitimate app permissions granted to the end user. The hacker group also hosted a fake website for these fake apps where they reviewed some of the top chat apps in the market and then included their malicious app to trick users into downloading it.

“These apps contained relatively basic malicious functionality with the access to user data solely reliant on legitimate app permissions granted by the end user. Notably, Patchwork created a fake review website for chat apps where they listed the top five communication apps, putting their own attacker-controlled app at the top of the list,” the researchers said.

Some of the activities conducted by this hacker group have also been detailed under the ModifiedElephant label by Secureworks. ModifiedElephant refers to a wide range of attacks that target human rights activists, academic professionals, and lawyers based in India.

These hackers target these professions to run a long-term surveillance campaign. During this campaign, the hackers will install incriminating digital evidence linked to the 2018 Bhima Koregaon violence witnessed in Maharashtra.

The report by EyeShell also detected that the BADNEWS custom implants were not the only tool used to run this hacking campaign. The researchers noted that a .NET-based modular backdoor was also used. This backdoor contained many capabilities to create contact with a remote command-and-control (C2) server.

The hackers can also execute a wide range of commands to enumerate directories and files. They can also download and upload files to and from the host while executing the specified files. A hacker can also delete files and take screenshots using this modular backdoor.

The findings in the research come after a cybersecurity firm detailed a wide range of phishing campaigns being run by a hacker group known as Bitter. These hacking campaigns target the aerospace, military, universities, large enterprises, and the military. The hacking attacks use a new backdoor dubbed ORPCBackdoor.

The Bitter hacker group is believed to operate from South Asia, and it was detected launching hacking campaigns against the nuclear energy sector in China using malware downloaders. The downloaders were installed using CHM and Microsoft Excel Files to create persistence and access payloads.