Patchwork Cyber-Espionage Group Expands Targets

Patchwork, also referred to as Dropping Elephant, is a cyber-espionage group that targets diplomatic and government agencies, private businesses, and, most recently, US think tank organizations. As the name suggests, the group is known for rehashing tools and malware in its campaigns to obtain sensitive and confidential data. Patchwork employs social engineering tactics, backdoors, and exploits known vulnerabilities in Dynamic Data Exchange (DDE) and Windows Script Component (SCT). The group recently expanded their spear-phishing campaigns to track which recipients opened emails and incorporated topics related to the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS). Currently, Patchwork is leveraging the open-source malware Quasar RAT to enable functionalities such as remote desktop access, webcam viewing, keylogging, file management, and the ability to download, upload, and execute files remotely. Patchwork has been observed distributing Quasar RAT in spear-phishing emails that contain hyperlinked text leading to a malicious Rich Text Format (RTF) document that, when opened, downloads and executes the malware on the targeted system. The NJCCIC recommends organizations review the Volexity report, educate their users on spear-phishing and other social engineering tactics, deploy proactive defenses such as email gateways, firewalls, and endpoint protection, employ the Principle of Least Privilege on all user accounts, and always keep hardware and software updated.