The cyber-espionage group known as “Patchwork” has been launching cyberattacks directly against United States-based think tanks, Volexity reveals.
Believed to be operating out of the Indian subcontinent and supposedly active since 2014, the threat group was previously observed targeting mainly government-associated organizations connected to Southeast Asia and the South China Sea.
After expanding its target list a couple of years ago, the group adopted new exploit techniques in late 2017, and also updated malware families in its arsenal earlier this year.
Also referred to as Dropping Elephant, Patchwork has shown an increase in activity recently, and also started using unique tracking links in their phishing emails, to identify which recipients opened their messages, Volexity has discovered.
The security firm observed three spear-phishing campaigns launched by the group, “leveraging domains and themes mimicking those of well-known think tank organizations in the United States.” The actors used articles and themes from the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute for China Studies (MERICS) as lures, along with malicious Rich Text Format (RTF) documents.
The attacks shared the use of email recipient tracking, a linked RTF document, and the final payload, but various elements in each campaign were different, Volexity reports.
In one attack, the actors also used a domain name similar to the Foreign Policy Research Institute (FPRI), in a message supposedly coming from CFR. The spear-phishing emails contained links to files featuring the .doc extension, but which were in fact RTF documents attempting to exploit CVE-2017-8750 and execute code via a malicious scriptlet file embedded in the document.
The group apparently used publicly available exploit code from Github to deploy the freely available QuasarRAT.
Written in C#, the remote access tool (RAT) provides AES encryption of network communication, file management, the ability to download, upload, and execute files, keylogging, remote desktop access, remote webcam viewing, reverse proxy, and browser and FTP client password recovery, among other capabilities.
The malware achieves persistence by creating a scheduled task that points to the QuasarRAT binary (saved on disk as microsoft_network.exe). The scheduled task, named Microsoft_Security_Task, runs at 12:00 AM each day, then repeats every 5 minutes for 60 days.
When executed, the malware first attempts to determine the geographical location of the infected host, then starts beaconing over an encrypted connection to the command and control domain.
“The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. While there were a few peculiar components to some of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being targeted.
The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message,” Volexity notes.