Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)
ID: G0040
Associated Groups: Chinastrats, Dropping Elephant, Hangover Group, Operation Hangover, MONSOON
Version: 1.5
Created: 31 May 2017
Last Modified: 22 Mar 2023

Associated Group Descriptions

Name Description
Chinastrats (Citation: Securelist Dropping Elephant)
Dropping Elephant (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)
Hangover Group Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)
Operation Hangover It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)
MONSOON MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Patchwork bypassed User Access Control (UAC).(Citation: Cymmetria Patchwork)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)

.003 Command and Scripting Interpreter: Windows Command Shell

Patchwork ran a reverse shell with Meterpreter.(Citation: Cymmetria Patchwork) Patchwork used JavaScript code and .SCT files on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

.005 Command and Scripting Interpreter: Visual Basic

Patchwork used Visual Basic Scripts (VBS) on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.(Citation: Cymmetria Patchwork)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Patchwork used Base64 to encode C2 traffic.(Citation: Cymmetria Patchwork)

Enterprise T1074 .001 Data Staged: Local Data Staging

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017)

Enterprise T1587 .002 Develop Capabilities: Code Signing Certificates

Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.(Citation: Unit 42 BackConfig May 2020)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.(Citation: TrendMicro Patchwork Dec 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

Patchwork removed certain files and replaced them so they could not be retrieved.(Citation: TrendMicro Patchwork Dec 2017)

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Patchwork leveraged the DDE protocol to deliver their malware.(Citation: TrendMicro Patchwork Dec 2017)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."(Citation: Cymmetria Patchwork) They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.(Citation: Volexity Patchwork June 2018)

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.(Citation: TrendMicro Patchwork Dec 2017)

.002 Obfuscated Files or Information: Software Packing

A Patchwork payload was packed with UPX.(Citation: Securelist Dropping Elephant)

.005 Obfuscated Files or Information: Indicator Removal from Tools

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.(Citation: TrendMicro Patchwork Dec 2017)

.010 Obfuscated Files or Information: Command Obfuscation

Patchwork has obfuscated a script with Crypto Obfuscator.(Citation: TrendMicro Patchwork Dec 2017)

Enterprise T1588 .002 Obtain Capabilities: Tool

Patchwork has obtained and used open-source tools such as QuasarRAT.(Citation: Volexity Patchwork June 2018)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.(Citation: Cymmetria Patchwork)(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

.002 Phishing: Spearphishing Link

Patchwork has used spearphishing with links to deliver files with exploits to initial victims.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Unit 42 BackConfig May 2020)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.(Citation: Volexity Patchwork June 2018)

Enterprise T1055 .012 Process Injection: Process Hollowing

A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.(Citation: Cymmetria Patchwork)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Patchwork attempted to use RDP to move laterally.(Citation: Cymmetria Patchwork)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

A Patchwork file stealer can run a TaskScheduler DLL to add persistence.(Citation: TrendMicro Patchwork Dec 2017)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).(Citation: Cymmetria Patchwork)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.(Citation: Unit 42 BackConfig May 2020)

Enterprise T1204 .001 User Execution: Malicious Link

Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020)

.002 User Execution: Malicious File

Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

Enterprise T1102 .001 Web Service: Dead Drop Resolver

Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.(Citation: Securelist Dropping Elephant)

Software

ID Name References Techniques
S0194 PowerSploit (Citation: Cymmetria Patchwork) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Command Obfuscation, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0131 TINYTYPHON (Citation: Forcepoint Monsoon) Encrypted/Encoded File, File and Directory Discovery, Registry Run Keys / Startup Folder, Automated Exfiltration
S0130 Unknown Logger (Citation: Forcepoint Monsoon) System Information Discovery, System Owner/User Discovery, Replication Through Removable Media, Ingress Tool Transfer, System Network Configuration Discovery, Credentials from Web Browsers, Keylogging, Disable or Modify Tools
S0475 BackConfig (Citation: Unit 42 BackConfig May 2020) Code Signing, Visual Basic, Windows Command Shell, Ingress Tool Transfer, Native API, File and Directory Discovery, Office Template Macros, File Deletion, System Information Discovery, Command Obfuscation, Hidden Files and Directories, Scheduled Task, Web Protocols, Deobfuscate/Decode Files or Information, Match Legitimate Name or Location, Malicious Link
S0272 NDiskMonitor (Citation: TrendMicro Patchwork Dec 2017) System Owner/User Discovery, Symmetric Cryptography, Ingress Tool Transfer, System Information Discovery, File and Directory Discovery
S0262 QuasarRAT (Citation: GitHub QuasarRAT) (Citation: Securelist APT10 March 2021) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018) (Citation: xRAT) Remote Desktop Protocol, Keylogging, Symmetric Cryptography, Credentials from Web Browsers, Registry Run Keys / Startup Folder, Hidden Window, System Information Discovery, Ingress Tool Transfer, System Location Discovery, Modify Registry, Hidden Files and Directories, System Owner/User Discovery, Bypass User Account Control, Data from Local System, Non-Application Layer Protocol, System Network Configuration Discovery, Credentials from Password Stores, Credentials In Files, Windows Command Shell, Proxy, Non-Standard Port, Code Signing, Scheduled Task, Video Capture
S0128 BADNEWS (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017) Dead Drop Resolver, Web Protocols, Screen Capture, Data from Local System, Symmetric Cryptography, DLL Side-Loading, Data Encoding, Keylogging, Bidirectional Communication, Invalid Code Signature, Automated Collection, Scheduled Task, Data from Network Shared Drive, Standard Encoding, Registry Run Keys / Startup Folder, Data from Removable Media, Windows Command Shell, Process Hollowing, Ingress Tool Transfer, Match Legitimate Name or Location, Native API, Local Data Staging, File and Directory Discovery, Peripheral Device Discovery
S0129 AutoIt backdoor (Citation: Forcepoint Monsoon) File and Directory Discovery, Bypass User Account Control, Standard Encoding, PowerShell

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.