Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor

Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign.

The activity, according to KnownSec 404 Team, entailed the use of a backdoor codenamed EyeShell.

Patchwork, also known by the names Operation Hangover and Zinc Emerson, is suspected to be a threat group that operates on behalf of India. Active since at least December 2015, attack chains mounted by the outfit have a narrow focus and tend to single out Pakistan and China with custom implants such as BADNEWS via spear-phishing and watering hole attacks.

The adversarial collective has been found to share tactical overlaps with other cyber-espionage groups with an Indian connection, including SideWinder and the DoNot Team.

Earlier this May, Meta disclosed that it took down 50 accounts on Facebook and Instagram operated by Patchwork, which took advantage of rogue messaging apps uploaded to the Google Play Store to collect data from victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

“Patchwork relied on a range of elaborate fictitious personas to socially engineer people into clicking on malicious links and downloading malicious apps,” the social media giant said.

“These apps contained relatively basic malicious functionality with the access to user data solely reliant on legitimate app permissions granted by the end user. Notably, Patchwork created a fake review website for chat apps where they listed the top five communication apps, putting their own, attacker-controlled app at the top of the list.”

Some of its activities have also been reported under the name ModifiedElephant, according to Secureworks, referring to a set of attacks against human rights activists, academics, and lawyers across India to conduct long-term surveillance and plant “incriminating digital evidence” in connection with the 2018 Bhima Koregaon violence in the state of Maharashtra.

EyeShell, detected alongside BADNEWS, is a a .NET-based modular backdoor that comes with capabilities to establish contact with a remote command-and-control (C2) server and execute commands to enumerate files and directories, downloading and uploading files to and from the host, execute a specified file, delete files, and capture screenshots.

The findings come as the cybersecurity company also detailed another wave of phishing attacks orchestrated by a group called Bitter aimed at aerospace, military, large enterprises, national government affairs, and universities in the country with a new backdoor known as ORPCBackdoor.

The South Asian threat actor was previously detected targeting the nuclear energy industry in China with malware downloaders delivered via CHM and Microsoft Excel Files that are designed to create persistence and retrieve further payloads.