1. Home
  2. Groups
  3. Patchwork

Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]

ID: G0040
Associated Groups: Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Version: 1.5
Created: 31 May 2017
Last Modified: 22 March 2023

Associated Group Descriptions

Name Description
Hangover Group

Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.[5][6][7]
Dropping Elephant

[2] [8] [5] [4]
Chinastrats

[8]
MONSOON

MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. [7] [5]
Operation Hangover

It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. [7] [9]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS任务

Patchwork has used BITS jobs to download malicious payloads.[6]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.[1]
Enterprise T1005 从本地系统获取数据

Patchwork collected and exfiltrated files from the infected system.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."[1] They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.[4]
Enterprise T1598 .003 信息钓鱼: Spearphishing Link

Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.[4]
Enterprise T1112 修改注册表

A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.[3]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[1][3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[1][3]
.003 命令与脚本解释器: Windows Command Shell

Patchwork ran a reverse shell with Meterpreter.[1] Patchwork used JavaScript code and .SCT files on victim machines.[3][4]
.005 命令与脚本解释器: Visual Basic

Patchwork used Visual Basic Scripts (VBS) on victim machines.[3][4]
Enterprise T1203 客户端执行漏洞利用

Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.[1][8][2][5][3][4][6]
Enterprise T1587 .002 开发能力: Code Signing Certificates

Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.[6]
Enterprise T1560 归档收集数据

Patchwork encrypted the collected files' path with AES and then encoded them with base64.[3]
Enterprise T1074 .001 数据分段: Local Data Staging

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.[3]
Enterprise T1132 .001 数据编码: Standard Encoding

Patchwork used Base64 to encode C2 traffic.[1]
Enterprise T1083 文件和目录发现

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[1][3]
Enterprise T1189 浏览器攻击

Patchwork has used watering holes to deliver files with exploits to initial victims.[2][4]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]
.002 混淆文件或信息: Software Packing

A Patchwork payload was packed with UPX.[8]
.005 混淆文件或信息: Indicator Removal from Tools

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]
.010 混淆文件或信息: Command Obfuscation

Patchwork has obfuscated a script with Crypto Obfuscator.[3]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Patchwork bypassed User Access Control (UAC).[1]
Enterprise T1204 .001 用户执行: Malicious Link

Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.[2][3][4][6]
.002 用户执行: Malicious File

Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.[3][4]
Enterprise T1070 .004 移除指标: File Deletion

Patchwork removed certain files and replaced them so they could not be retrieved.[3]
Enterprise T1082 系统信息发现

Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.[1][3]
Enterprise T1033 系统所有者/用户发现

Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[1][3]
Enterprise T1102 .001 网络服务: Dead Drop Resolver

Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.[8]
Enterprise T1119 自动化收集

Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[3]
Enterprise T1588 .002 获取能力: Tool

Patchwork has obtained and used open-source tools such as QuasarRAT.[4]
Enterprise T1518 .001 软件发现: Security Software Discovery

Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool).[1]
Enterprise T1105 输入工具传输

Patchwork payloads download additional files from the C2 server.[8][3]
Enterprise T1055 .012 进程注入: Process Hollowing

A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.[1]
Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

Patchwork leveraged the DDE protocol to deliver their malware.[3]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Patchwork attempted to use RDP to move laterally.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.[1][8][3][4]
.002 钓鱼: Spearphishing Link

Patchwork has used spearphishing with links to deliver files with exploits to initial victims.[2][3][6]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

A Patchwork file stealer can run a TaskScheduler DLL to add persistence.[3]
Enterprise T1553 .002 颠覆信任控制: Code Signing

Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.[6]

Software

ID Name References Techniques
S0129 AutoIt backdoor [7] 命令与脚本解释器: PowerShell, 数据编码: Standard Encoding, 文件和目录发现, 滥用权限提升控制机制: Bypass User Account Control
S0475 BackConfig [6] 伪装: Match Legitimate Name or Location, 办公应用启动: Office Template Macros, 反混淆/解码文件或信息, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 本机API, 混淆文件或信息: Command Obfuscation, 用户执行: Malicious Link, 移除指标: File Deletion, 系统信息发现, 输入工具传输, 隐藏伪装: Hidden Files and Directories, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0128 BADNEWS [7][3] 从可移动介质获取数据, 从本地系统获取数据, 从网络共享驱动器获取数据, 伪装: Invalid Code Signature, 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 数据编码, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 网络服务: Dead Drop Resolver, 网络服务: Bidirectional Communication, 自动化收集, 输入工具传输, 输入捕获: Keylogging, 进程注入: Process Hollowing, 预定任务/作业: Scheduled Task
S0272 NDiskMonitor [3] 加密通道: Symmetric Cryptography, 文件和目录发现, 系统信息发现, 系统所有者/用户发现, 输入工具传输
S0194 PowerSploit [1] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0262 QuasarRAT [3][4] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从本地系统获取数据, 代理, 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 非标准端口, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0131 TINYTYPHON [7] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 自动化渗出
S0130 Unknown Logger [7] 从密码存储中获取凭证: Credentials from Web Browsers, 妨碍防御: Disable or Modify Tools, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 输入工具传输, 输入捕获: Keylogging, 通过可移动媒体复制

References

  1. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  2. Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
  3. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  4. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  5. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  1. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  2. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  3. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  4. Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.