Incident Report: Malicious Document With Bangladesh Theme Possibly Linked to Patchwork Actor

Overview

The Cyber Intelligence and Policy Project (CIPP) has identified a malicious Microsoft Word document possibly linked to the actor publicly known as "Patchwork." VirusTotal indicates that the document carries the file name Bangladesh_Army_News.doc and was created on September 26, 2017. The Hybrid Analysis sandbox indicates that the document contains a malicious macro that uses code to download an executable from the command and control (C2) domain, clep-cn[.]org. CIPP was able to retrieve this executable (202KSL.exe) indicating that the actor responsible is likely still active. 

Hybrid Analysis shows that the document displays content related to the Bangladesh Army. The clep-cn[.]org C2 domain appears to refer to the Chinese Lunar Exploration Program (CLEP). This confluence of Bangladeshi and Chinese indicators suggest that targeting related to this file could center around the current Rohingya refugee crisis occurring in Bangladesh as China's interests are implicated

In July 2016, the security company Cymmetria released a report about a targeted intrusion actor it referred to as "Patchwork." The report speculated a possible pro-Indian actor with an interest in collecting information regarding China's activities. The clep-cn[.]org domain shares a China-focused naming convention similar to those provided in Cymmetria's report; furthermore, a Bangladesh-themed document would be especially appropriate that the current time given China's interest in the Rohingya refugee crisis there. 

Details

Exploit Document:

Retrieved Files:

C2:

  • clep-cn[.]org

Related Infrastructure: 

  • 723863.chinamil[.] info
  • chinamil[.]info
  • ftp.pla-report[.]net
  • militaryreviews[.]net
  • pla-report[.]net
  • sinodefence[.]info
  • www.chinamil[.]info
  • www.militaryreviews[.]net
  • www.pla-report[.]net
  • www.qzonecn[.]com
  • www.sinodefence[.]info

Targeting:

  • China

Related Public Reporting:

  • http://blog.cymmetria.com/research-report-how-we-caught-patchwork-the-copy-paste-apt

Actor/Campaign:

  • Patchwork