Patchwork
Associated Group Descriptions |
|
Name | Description |
---|---|
Chinastrats | (Citation: Securelist Dropping Elephant) |
Dropping Elephant | (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018) |
Hangover Group | Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon) |
Operation Hangover | It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013) |
MONSOON | MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Patchwork bypassed User Access Control (UAC).(Citation: Cymmetria Patchwork) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Patchwork ran a reverse shell with Meterpreter.(Citation: Cymmetria Patchwork) Patchwork used JavaScript code and .SCT files on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Patchwork used Visual Basic Scripts (VBS) on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Patchwork dumped the login data database from |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Patchwork used Base64 to encode C2 traffic.(Citation: Cymmetria Patchwork) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017) |
Enterprise | T1587 | .002 | Develop Capabilities: Code Signing Certificates |
Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.(Citation: TrendMicro Patchwork Dec 2017) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Patchwork removed certain files and replaced them so they could not be retrieved.(Citation: TrendMicro Patchwork Dec 2017) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
Patchwork leveraged the DDE protocol to deliver their malware.(Citation: TrendMicro Patchwork Dec 2017) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."(Citation: Cymmetria Patchwork) They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.(Citation: Volexity Patchwork June 2018) |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.(Citation: TrendMicro Patchwork Dec 2017) |
.002 | Obfuscated Files or Information: Software Packing |
A Patchwork payload was packed with UPX.(Citation: Securelist Dropping Elephant) |
||
.005 | Obfuscated Files or Information: Indicator Removal from Tools |
Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.(Citation: TrendMicro Patchwork Dec 2017) |
||
.010 | Obfuscated Files or Information: Command Obfuscation |
Patchwork has obfuscated a script with Crypto Obfuscator.(Citation: TrendMicro Patchwork Dec 2017) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Patchwork has obtained and used open-source tools such as QuasarRAT.(Citation: Volexity Patchwork June 2018) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.(Citation: Cymmetria Patchwork)(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018) |
.002 | Phishing: Spearphishing Link |
Patchwork has used spearphishing with links to deliver files with exploits to initial victims.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Unit 42 BackConfig May 2020) |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.(Citation: Volexity Patchwork June 2018) |
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.(Citation: Cymmetria Patchwork) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Patchwork attempted to use RDP to move laterally.(Citation: Cymmetria Patchwork) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
A Patchwork file stealer can run a TaskScheduler DLL to add persistence.(Citation: TrendMicro Patchwork Dec 2017) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).(Citation: Cymmetria Patchwork) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.(Citation: Unit 42 BackConfig May 2020) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020) |
.002 | User Execution: Malicious File |
Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018) |
||
Enterprise | T1102 | .001 | Web Service: Dead Drop Resolver |
Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.(Citation: Securelist Dropping Elephant) |
References
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.