BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

ID: S0128
Platforms: Windows

Version: 1.0

Techniques Used

EnterpriseT1119Automated CollectionBADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.[2]
EnterpriseT1116Code SigningBADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.[2]
EnterpriseT1059Command-Line InterfaceBADNEWS is capable of executing commands via cmd.exe.[1][2]
EnterpriseT1024Custom Cryptographic ProtocolBADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[1][2]
EnterpriseT1132Data EncodingBADNEWS encodes C2 traffic with base64.[1][3][2]
EnterpriseT1005Data from Local SystemWhen it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[1][3]
EnterpriseT1039Data from Network Shared DriveWhen it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.[1]
EnterpriseT1025Data from Removable MediaBADNEWS copies files with certain extensions from USB devices to a predefined directory.[2]
EnterpriseT1001Data ObfuscationAfter encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.[1]
EnterpriseT1074Data StagedBADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.[1][2]
EnterpriseT1073DLL Side-LoadingBADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[1][3]
EnterpriseT1106Execution through APIBADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[1][2]
EnterpriseT1083File and Directory DiscoveryBADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.[2]
EnterpriseT1056Input CaptureWhen it first starts, BADNEWS spawns a new thread to log keystrokes.[1][3][2]
EnterpriseT1036MasqueradingBADNEWS attempts to hide its payloads using legitimate filenames.[3]
EnterpriseT1120Peripheral Device DiscoveryBADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.[1][2]
EnterpriseT1093Process HollowingBADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderBADNEWS installs a registry Run key to establish persistence.[1]
EnterpriseT1105Remote File CopyBADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[1][3][2]
EnterpriseT1053Scheduled TaskBADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.[3]
EnterpriseT1113Screen CaptureBADNEWS has a command to take a screenshot and send it to the C2 server.[1][3]
EnterpriseT1071Standard Application Layer ProtocolBADNEWS establishes a backdoor over HTTP.[3]
EnterpriseT1102Web ServiceBADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs. BADNEWS also collects C2 information via a dead drop resolver.[1][3][2]


Groups that use this software: