Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. [1] [2] [3] [4]

ID: G0040
Version: 1.0

Associated Group Descriptions

Dropping Elephant[2] [5] [6] [4]
MONSOONMONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. [7] [6]
Operation HangoverIt is believed that the actors behind G0040 are the same actors behind Operation Hangover. [7] [8]

Techniques Used

EnterpriseT1119Automated CollectionPatchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.[3]
EnterpriseT1009Binary PaddingPatchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]
EnterpriseT1088Bypass User Account ControlPatchwork bypassed User Access Control (UAC).[1]
EnterpriseT1059Command-Line InterfacePatchwork ran a reverse shell with Meterpreter.[1]
EnterpriseT1003Credential DumpingPatchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.[1]
EnterpriseT1132Data EncodingPatchwork used Base64 to encode C2 traffic.[1]
EnterpriseT1022Data EncryptedPatchwork encrypted the collected files' path with AES and then encoded them with base64.[3]
EnterpriseT1005Data from Local SystemPatchwork collected and exfiltrated files from the infected system.[1]
EnterpriseT1074Data StagedPatchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.[3]
EnterpriseT1073DLL Side-LoadingA Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[3]
EnterpriseT1189Drive-by CompromisePatchwork has used watering holes to deliver files with exploits to initial victims.[2][4]
EnterpriseT1173Dynamic Data ExchangePatchwork leveraged the DDE protocol to deliver their malware.[3]
EnterpriseT1203Exploitation for Client ExecutionPatchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, and CVE-2015-1641.[1][5][2][6][3][4]
EnterpriseT1083File and Directory DiscoveryA Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.[1][3]
EnterpriseT1107File DeletionPatchwork removed certain files and replaced them so they could not be retrieved.[3]
EnterpriseT1066Indicator Removal from ToolsPatchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[3]
EnterpriseT1036MasqueradingPatchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."[1]
EnterpriseT1112Modify RegistryA Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.[3]
EnterpriseT1027Obfuscated Files or InformationPatchwork has obfuscated a script with Crypto Obfuscator.[3]
EnterpriseT1086PowerShellPatchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim's machine.[1][3]
EnterpriseT1093Process HollowingA Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.[1]
EnterpriseT1060Registry Run Keys / Startup FolderPatchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[1][3]
EnterpriseT1076Remote Desktop ProtocolPatchwork attempted to use RDP to move laterally.[1]
EnterpriseT1105Remote File CopyPatchwork payloads download additional files from the C2 server.[5][3]
EnterpriseT1053Scheduled TaskA Patchwork file stealer can run a TaskScheduler DLL to add persistence.[3]
EnterpriseT1064ScriptingPatchwork used Visual Basic Scripts (VBS), JavaScript code, batch files, and .SCT files on victim machines.[3][4]
EnterpriseT1063Security Software DiscoveryPatchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).[1]
EnterpriseT1045Software PackingA Patchwork payload was packed with UPX.[5]
EnterpriseT1193Spearphishing AttachmentPatchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.[1][5][3][4]
EnterpriseT1192Spearphishing LinkPatchwork has used spearphishing with links to deliver files with exploits to initial victims. The group has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.[2][3][4]
EnterpriseT1082System Information DiscoveryPatchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.[1][3]
EnterpriseT1033System Owner/User DiscoveryPatchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[1][3]
EnterpriseT1204User ExecutionPatchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.[3][4]
EnterpriseT1102Web ServicePatchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.[5]


S0129AutoIt backdoor[7]Bypass User Account Control, Data Encoding, File and Directory Discovery, PowerShell
S0128BADNEWS[7][3]Automated Collection, Code Signing, Command-Line Interface, Custom Cryptographic Protocol, Data Encoding, Data from Local System, Data from Network Shared Drive, Data from Removable Media, Data Obfuscation, Data Staged, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Peripheral Device Discovery, Process Hollowing, Registry Run Keys / Startup Folder, Remote File Copy, Scheduled Task, Screen Capture, Standard Application Layer Protocol, Web Service
S0272NDiskMonitor[3]File and Directory Discovery, Remote File Copy, Standard Cryptographic Protocol, System Information Discovery, System Owner/User Discovery
S0194PowerSploit[1]Access Token Manipulation, Account Discovery, Audio Capture, Credential Dumping, Credentials in Registry, Data from Local System, DLL Search Order Hijacking, Domain Trust Discovery, Indicator Removal from Tools, Input Capture, Kerberoasting, Modify Existing Service, Obfuscated Files or Information, Path Interception, PowerShell, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Security Support Provider, Windows Management Instrumentation
S0262QuasarRAT[3][4]Code Signing, Command-Line Interface, Connection Proxy, Credential Dumping, Credentials in Files, Input Capture, Masquerading, Modify Registry, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Standard Cryptographic Protocol, System Information Discovery, Video Capture
S0273Socksbot[3]Connection Proxy, PowerShell, Process Discovery, Process Injection, Screen Capture
S0131TINYTYPHON[7]Automated Exfiltration, File and Directory Discovery, Obfuscated Files or Information, Registry Run Keys / Startup Folder
S0130Unknown Logger[7]Credential Dumping, Disabling Security Tools, Input Capture, Remote File Copy, Replication Through Removable Media, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery