Patchwork is a new threat actor that has been targeting numerous entities around the world using code that has been copied from various online forums, Cymmetria researchers reveal.
The group, supposedly active since 2014, managed to infect an estimated 2,500 victims since December 2015, when Cymmetria researchers observed it. The threat actor targeted victims worldwide, including United States, Europe, the Middle East, and APAC, and researchers say that it focused mainly on personnel working on military and political assignments.
Furthermore, a detailed report from Cymmetria reveals that this advanced persistent threat usually targets individuals working on issues relating to Southeast Asia and the South China Sea and that many of the group’s targets were governments and government-related organizations.
What researchers observed was that, following the initial attack, which includes finding and stealing documents from the infected machine, if the target is deemed valuable enough, a second-stage attack is launched and more advanced malware is dropped onto the compromised system. The attackers also downloaded and executed a remote access tool based on open source PowerSploit on the target system.
The researchers detected the threat during a spear phishing attack against a government organization in Europe in late May 2016, which used a PowerPoint presentation file as the attack vector. The target was an employee working on Chinese policy research and the weaponized document contained a presentation on issues related to Chinese activity on the South China Sea.
The attack attempted to exploit the CVE-2014-4114 vulnerability that affects unpatched versions of Microsoft Office PowerPoint 2003 and 2007. The researchers discovered that the malicious code attempted to bypass UAC using code taken from an online forum, and that a second-stage attack was carried out once again using module built from code taken from various online forums and resources.
Using a deception campaign, the researchers lured the attackers into targeting a decoy system running in a virtual machine. Thus, they managed to gather data associated with the threat, to have a look at the stages of the attack, see all of the network traffic, and analyze the lateral movement of the threat actor. By gaining access to one of the actor’s command and control (C&C) servers, researchers found an abundance of PPS files and more malicious code packages.
According to Cymmetria’s report, the APT is a pro-Indian or an Indian entity, mainly because many of the primary targets of this campaign are regional neighbors of India. This is also suggested by the fact that other targets appear of interest if they are related to issues affecting India, but researchers say that conclusive was the analysis of time of day activity of the group (such as document editing, C&C activity and domain registrations).
“The high degree of operational capacity stands in stark contradiction to the low technical ability displayed, which raises the question of whether the copy-paste nature of the threat was potentially intentional, perhaps an evolution of threat actors attempting to avoid the high cost of losing their expensive tool box and malware when they are eventually publically disclosed. This, however, seems unlikely, as the use of such second-hand code is consistent with their second stage toolset meant for persistence, which should typically be built to resist detection,” researchers note.
Cymmetria’s CEO Gadi Evron says that another threat actor might have made it look like an India-related group was behind these attacks and built a false flag operation to fit, but there is no evidence to support this claim. Given that India is a relatively quiet locale for cyber espionage activity, this pro-Indian threat actor, if indeed one, is noteworthy by itself, given the scope and scale of this operation, the researchers conclude.