Patchwork Cyber-Espionage Campaign

Patchwork, also referred to as Dropping Elephant, is a cyber-espionage group that targets diplomatic and government agencies and private businesses. As the name suggests, the group is known for rehashing tools and malware in its campaigns. Based on Patchwork’s targets and operations, the group’s primary objective is to obtain sensitive and confidential data. They employ social engineering tactics, use backdoors, and exploit recently reported vulnerabilities using Dynamic Data Exchange (DDE) and Windows Script Component (SCT). The group uses spear-phishing emails and website redirects, links, and malicious attachments to gain access to the target’s network. The malicious documents used vary from Rich Text Format .rtf files, PowerPoint Open SML Slide Show .ppsx files, and PowerPoint .ppt files and contain exploits for a variety of vulnerabilities. Additionally, the group abuses DDE to retrieve and execute the Android xRAT malware. The group also delivers the following malware: NDiskMonitor, Socksbot, Badnews, Taskhost Stealer, and Wintel Stealer. The group misuses publicly available PHP scripts to retrieve files from their server without disclosing its real path, likely to prevent researchers from finding open directories. They also temporarily remove files and replace them with legitimate files and display a fraudulent 302 redirection page on their servers’ home pages to fool researchers. Patchwork has targeted organizations in China and South Asia, and they have recently targeted the UK, Turkey, and Israel with spear-phishing emails. The group targeted business-to-consumer (B2C) online retailers, telecommunications and media companies, aerospace researchers, and financial institutions. The UN Development Programme was also targeted. The NJCCIC recommends organizations review Trend Micro’s report; educate their users on spear-phishing and other social engineering tactics; deploy proactive defenses, such as email gateways, firewalls, and endpoint protection; employ the Principle of Least Privilege on all user accounts; and always keep hardware and software updated. Symantec published a blog post detailing Patchwork activity in 2016 here.