Group: Patchwork, Dropping Elephant, ...

From enterprise
Jump to: navigation, search
Patchwork, Dropping Elephant, ...
ID G0040
Aliases Patchwork, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover

Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.12

Alias Descriptions

  • Patchwork - 1234
  • Dropping Elephant - 234
  • Chinastrats - 3
  • MONSOON - MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign.54
  • Operation Hangover - It is believed that the actors behind Patchwork are the same actors behind Operation Hangover.56

Techniques Used

  • Security Software Discovery - Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).1
  • Masquerading - Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."1
  • Web Service - Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.3