BADNEWS is a backdoor Trojan that was used in several attack campaigns carried out by the Patchwork group, an Advanced Persistent Threat actor that targets Indian users frequently. The BADNEWS Trojan has been around for over two years, but it has received an update recently, which strengthens its abilities to evade sandbox environments and anti-virus engines, as well as carry out additional tasks on the compromised computer. The Patchwork group also is known by the names Dropping Elephant or Monsoon.
The Patchwork Group Continues to Improve the BADNEWS Backdoor
The latest campaign that involves the use of the BADNEWS backdoor Trojan is carried out with the help of spear-phishing emails whose subjects and contents are tailored to attract the interest of the recipients – the decoy documents may claim to contain information about the Pakistan Ministry of Interior or Pakistan Atomic energy Commission. The documents have a macro script embed into them that attempts to exploit the Microsoft Office vulnerabilities CVE-2015-2545 and CVE-2017-0261.
BADNEWS is meant to serve as a reconnaissance and data exfiltration tool that also provides attackers with the ability to execute commands on the remote host and upload additional payloads. On command, BADNEWS can scan all hard disk partitions and look for files that use the extensions; .xls, .xlsx, .doc, .docx, .ppt, .pptx and .pdf. The files are then uploaded to a Command & Control server via an HTTP request. The operators of the BADNEWS backdoor can execute a wide range of commands on the compromised host, enable a keylogger, and take screenshots of the desktop.
Patchwork is not the most relevant Advanced Persistent Threat (APT) group, but their attacks are still remarkable – they use custom-built malware and have inside information that helps them craft legit-looking decoy documents that get sent to their victims definitely.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to BADNEWS may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.