Badnews is a sophisticated malware utilized by Patchwork, an Indian Advanced Persistent Threat (APT) group. This malicious software has been used to infiltrate Pakistani government agencies, stealing sensitive information through spear-phishing tactics. The malware infects systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can disrupt operations, steal personal data, and even hold data hostage for ransom. In recent campaigns, Badnews has been deployed alongside the EyeShell backdoor on compromised systems, illustrating the evolving nature of the threat.
The Badnews malware payload has undergone significant updates since its last public report in December 2017. It traditionally leveraged legitimate third-party websites to host the malware’s command and control (C2) information, acting as “dead drops”. However, recent observations show modifications to how the malware obtains its C2 server information and alterations to the C2 communication process. The malware communicates with remote servers using HTTP protocol after collecting the necessary C2 information. These updates, along with the use of recent EPS-based exploits, indicate that the threat actors behind Badnews are actively refining their toolsets to stay ahead of security measures.
Badnews performs many functions associated with previous versions, including keylogging and identifying files of interest. During its C2 communications, Badnews sends initial pings to the remote server, including strings containing the victim’s information. The malware then communicates with the previously identified C2 via HTTP. Previous variants of Badnews looked for data between '{{' and '}}', and used a simple cipher to decode this data. The continued evolution of Badnews, both in how it uses dead drop resolvers and communicates with a remote C2 server, underscores the need for ongoing vigilance and advanced cybersecurity measures.