Connect with us

Hi, what are you looking for?



Patchwork Threat Actor Expands Target List

The India-linked threat actor known as Patchwork or Dropping Elephant is targeting more than just government-associated organizations, Symantec researchers say.

The India-linked threat actor known as Patchwork or Dropping Elephant is targeting more than just government-associated organizations, Symantec researchers say.

In early July, Kaspersky Lab named the threat group Dropping Elephant (also known as Chinastrats) and revealed that it used weaponized Word or PowerPoint documents attached to spam emails that use Chinese-themed content as bait to lure victims into opening the attachments. At the time, the group was seen abusing CVE-2012-0158 and CVE-2014-6352 vulnerabilities in Microsoft Office to target Chinese-based government and diplomatic entities.

Soon after Kaspersky’s report, Cymmetria researchers published their own analysis of the group and called it Patchwork, because it uses code copied from various online forums. Cymmetria determined that the group was active since 2014 and that it infected around 2,500 victims since December 2015, targeting military and political individuals in the United States, Europe, the Middle East, and APAC, as long as they have some connections to issues relating to Southeast Asia and the South China Sea.

Now, Symantec reveals that the two previous reports were referring to the same threat group and says that the range of targets isn’t limited to government and military individuals and organizations related to China. According to Symantec, targets also include a broad variety of other industries. The main purpose behind the group’s attacks, researchers say, is to drop backdoor Trojans, while the means for that remains infected Word and PowerPoint documents.

Although it initially focused on governments and government-related organizations, Patchwork/Dropping Elephant has expanded its list of targets to include entities working in industries such as Aviation, Broadcasting, Energy, Financial, Non-governmental organizations (NGO), Pharmaceutical, Public sector, Publishing, and Software. However, the group remains focused on the public sector, Symantec reveals.

What’s more, the security firm reveals that the group’s victims are located worldwide, but that around half of the attacks are targeting individuals in the United States. Other targets are located in China, Japan, South East Asia, and the United Kingdom.

To ensure successful infections, the group tailors each attack to its victim. For example, the threat actor uses a legitimate mailing list provider to distribute newsletters to a select number of targets and the newsletter links to the attacker’s website, which includes content that should draw victim’s interest, mainly on topics related to China. Each of the websites is hosted on the same domain as the mailing list provider and each has been customized for the intended target, researchers say.

According to Symantec, these sites link to malicious PowerPoint (.pps) and rich text (with a Word .doc extension) files hosted on different domains. These files were designed to exploit three vulnerabilities in Microsoft Office, namely CVE-2014-4114, which was used in the Sandworm attacks against American and European targets in October 2014; CVE-2015-1641, a vulnerability patched in April 2015, and CVE-2012-0158, a Remote Code Execution flaw patched four years ago.

Advertisement. Scroll to continue reading.

For many years, CVE-2012-0158 has been the most popular Office exploit in malicious attacks, but cybercriminals have been switching to CVE-2015-1641 and CVE-2015-2545 over the past several weeks, a recent report from SophosLabs revealed. These security flaws, available in published exploit kits, have been linked to various APT groups, some using them at the 0-day stage, while others adopting them only after they became public.

Malicious documents used to drop various types of malware onto the victims’ computers include, Backdoor.Enfourks, Backdoor.Steladok, Bloodhound.RTF.3, Trojan.PPDropper, Backdoor.Steladok!g1, Trojan.Gen.2, and Infostealer. Typically, the malicious .pps files would drop Backdoor.Enfourks, while the weaponized .doc would download Backdoor.Steladok, researchers also say.

“While both backdoor Trojans wait for commands from the threat actor, they can search for files and upload them to the specified server once activated. For unknown reasons, both threats use Baidu, the Chinese software vendor, in their routines. The Trojans confirm an internet connection by pinging Baidu’s server and create a registry entry with the vendor’s name to run every time Windows starts,” Symantec’s Joji Hamada explains.

To stay protected, users are advised to delete suspicious-looking emails, especially if they contain links or attachments. They should also keep their operating system and other software on their machines updated at all times, and should install and maintain a security software to ensure that malware is blocked before compromising the system.

Related: Decade-old NetTraveler Malware Used in Multi-National Attacks

Related: Attackers Increasingly Abuse Open Source Security Tools

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.