BadPatch
BadPatch is a malware family that has been closely observed by cybersecurity experts since 2017. The first samples of the BadPatch implants were distributed via fraudulent email attachments, and it seems that the operators of this malware continue to rely on the same tactics to this very day. One of the latest and prominent BadPatch campaigns took place in 2019 – the malware was distributed to victims in the Middle East, and it was often disguised as an important email attachment that pretended to have been created by a high-profile political figure. It is very likely that the BadPatch implants are being used for long-term espionage and data-theft operations, and there is a strong suspicion that an Advanced Persistent Threat (APT) actor is behind these attacks. To be more specific, the Molerats APT group is suspected to be the organization behind the BadPatch campaigns.
BadPatch Campaign Involves Windows Trojans
The BadPatch implants are compatible with Windows exclusively, but recently malware researchers uncovered an Android malware sample that used servers and network infrastructure that was previously involved in the BadPatch campaigns. The newly uncovered campaign is relying on a fake Android application called 'Welcome Chat' – it poses as a legitimate chat application but, in reality, it serves the purpose of providing remote attackers with access to the compromised device. It is suspected that the Molerats APT is behind the development of the 'Welcome Chat' fake app – researchers believe this theory due to the overlap in the network infrastructure used to orchestrate the attacks, as well as that both malware families target Middle Eastern victims.
B3hpy is one of the Latest Implants to be Linked to the BadPatch Campaign
Another new malware sample to be linked to the BadPatch project is B3hpy – it is a Windows-compatible backdoor Trojan that can be used to execute remote commands, steal files, manage system configuration, and control running processes. The B3hpy implant is not as advanced as the original BadPatch samples, but it is definitely not a threat that should be underestimated.
It is believed that the BadPatch implants provide attackers with the ability to perform the following tasks on infected Windows systems:
- Switch between HTTP and SMTP control servers.
- Steal files that use specific file extensions – usually documents and archives.
- Search for specific filenames and file extensions that can be stolen at a later stage.
- Initialize a keylogger.
- Grab screenshots of specific Windows or the entire desktop.
- Collect hardware and software data.
Three years after it was discovered, the BadPatch campaign is still receiving regular updates, and new malware samples are being used in the attacks. It seems that this campaign is focused on targets in the Middle East, and the malicious Implant is often spread via phishing emails that pretend to come from prominent political figures.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.