Patchwork is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.    
Associated Group Descriptions
|Hangover Group||Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.|
|Dropping Elephant||   |
|MONSOON||MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign.  |
|Operation Hangover||It is believed that the actors behind Patchwork are the same actors behind Operation Hangover.  |
|Enterprise||T1548||.002||Abuse Elevation Control Mechanism: Bypass User Access Control|
|Enterprise||T1560||Archive Collected Data|
Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Enterprise||T1059||.001||Command and Scripting Interpreter: PowerShell|
|.003||Command and Scripting Interpreter: Windows Command Shell|
|.005||Command and Scripting Interpreter: Visual Basic|
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers|
|Enterprise||T1132||.001||Data Encoding: Standard Encoding|
|Enterprise||T1005||Data from Local System|
|Enterprise||T1074||.001||Data Staged: Local Data Staging|
|Enterprise||T1203||Exploitation for Client Execution||
Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1574||.002||Hijack Execution Flow: DLL Side-Loading|
|Enterprise||T1070||.004||Indicator Removal on Host: File Deletion|
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1559||.002||Inter-Process Communication: Dynamic Data Exchange|
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor." They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.
|Enterprise||T1027||Obfuscated Files or Information|
|.005||Indicator Removal from Tools|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment|
|.002||Phishing: Spearphishing Link||
Patchwork has used spearphishing with links to deliver files with exploits to initial victims. The group has also used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.
|Enterprise||T1055||.012||Process Injection: Process Hollowing|
|Enterprise||T1021||.001||Remote Services: Remote Desktop Protocol|
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1518||.001||Software Discovery: Security Software Discovery|
|Enterprise||T1553||.002||Subvert Trust Controls: Code Signing|
|Enterprise||T1082||System Information Discovery||
Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.
|Enterprise||T1033||System Owner/User Discovery|
|Enterprise||T1204||.002||User Execution: Malicious File|
|.001||User Execution: Malicious Link|
|Enterprise||T1102||.001||Web Service: Dead Drop Resolver|
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.