Patchwork Threat Actor Expands Target List

The India-linked threat actor known as Patchwork or Dropping Elephant is targeting more than just government-associated organizations, Symantec researchers say.

In early July, Kaspersky Lab named the threat group Dropping Elephant (also known as Chinastrats) and revealed that it used weaponized Word or PowerPoint documents attached to spam emails that use Chinese-themed content as bait to lure victims into opening the attachments. At the time, the group was seen abusing CVE-2012-0158 and CVE-2014-6352 vulnerabilities in Microsoft Office to target Chinese-based government and diplomatic entities.

Soon after Kaspersky’s report, Cymmetria researchers published their own analysis of the group and called it Patchwork, because it uses code copied from various online forums. Cymmetria determined that the group was active since 2014 and that it infected around 2,500 victims since December 2015, targeting military and political individuals in the United States, Europe, the Middle East, and APAC, as long as they have some connections to issues relating to Southeast Asia and the South China Sea.

Now, Symantec reveals that the two previous reports were referring to the same threat group and says that the range of targets isn’t limited to government and military individuals and organizations related to China. According to Symantec, targets also include a broad variety of other industries. The main purpose behind the group’s attacks, researchers say, is to drop backdoor Trojans, while the means for that remains infected Word and PowerPoint documents.

Although it initially focused on governments and government-related organizations, Patchwork/Dropping Elephant has expanded its list of targets to include entities working in industries such as Aviation, Broadcasting, Energy, Financial, Non-governmental organizations (NGO), Pharmaceutical, Public sector, Publishing, and Software. However, the group remains focused on the public sector, Symantec reveals.

What’s more, the security firm reveals that the group’s victims are located worldwide, but that around half of the attacks are targeting individuals in the United States. Other targets are located in China, Japan, South East Asia, and the United Kingdom.

To ensure successful infections, the group tailors each attack to its victim. For example, the threat actor uses a legitimate mailing list provider to distribute newsletters to a select number of targets and the newsletter links to the attacker’s website, which includes content that should draw victim’s interest, mainly on topics related to China. Each of the websites is hosted on the same domain as the mailing list provider and each has been customized for the intended target, researchers say.

According to Symantec, these sites link to malicious PowerPoint (.pps) and rich text (with a Word .doc extension) files hosted on different domains. These files were designed to exploit three vulnerabilities in Microsoft Office, namely CVE-2014-4114, which was used in the Sandworm attacks against American and European targets in October 2014; CVE-2015-1641, a vulnerability patched in April 2015, and CVE-2012-0158, a Remote Code Execution flaw patched four years ago.

For many years, CVE-2012-0158 has been the most popular Office exploit in malicious attacks, but cybercriminals have been switching to CVE-2015-1641 and CVE-2015-2545 over the past several weeks, a recent report from SophosLabs revealed. These security flaws, available in published exploit kits, have been linked to various APT groups, some using them at the 0-day stage, while others adopting them only after they became public.

Malicious documents used to drop various types of malware onto the victims’ computers include, Backdoor.Enfourks, Backdoor.Steladok, Bloodhound.RTF.3, Trojan.PPDropper, Backdoor.Steladok!g1, Trojan.Gen.2, and Infostealer. Typically, the malicious .pps files would drop Backdoor.Enfourks, while the weaponized .doc would download Backdoor.Steladok, researchers also say.

“While both backdoor Trojans wait for commands from the threat actor, they can search for files and upload them to the specified server once activated. For unknown reasons, both threats use Baidu, the Chinese software vendor, in their routines. The Trojans confirm an internet connection by pinging Baidu’s server and create a registry entry with the vendor’s name to run every time Windows starts,” Symantec’s Joji Hamada explains.

To stay protected, users are advised to delete suspicious-looking emails, especially if they contain links or attachments. They should also keep their operating system and other software on their machines updated at all times, and should install and maintain a security software to ensure that malware is blocked before compromising the system.

Related: Decade-old NetTraveler Malware Used in Multi-National Attacks

Related: Attackers Increasingly Abuse Open Source Security Tools

view counter
Previous Columns by SecurityWeek News:

Tags: