BADNEWS

BADNEWS malware has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. [1] [2]

Techniques Used

Domain ID Name Use
Enterprise VT0027 .001 Encrypted Channel: Symmetric Cryptography

BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[1][2]

Enterprise VT0018 .001 Input Capture: Keylogging

When it first starts, BADNEWS spawns a new thread to log keystrokes.[1][3][2]

Enterprise VT0015 .001 Masquerading: Invalid Code Signature

BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.[2]

References

Attachments

ID
VS0013
Type
MALWARE
Platforms
Windows
Version
1.2

Created: 07 May 2021

Last Modified: 09 May 2021