Group: Patchwork, Dropping Elephant, ...

From enterprise
(Redirected from Group/G0042)
Jump to: navigation, search
Patchwork, Dropping Elephant, ...
Group
ID G0040
Aliases Patchwork, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover

Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.12

Alias Descriptions

  • Patchwork - 1234
  • Dropping Elephant - 234
  • Chinastrats - 3
  • MONSOON - MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign.54
  • Operation Hangover - It is believed that the actors behind Patchwork are the same actors behind Operation Hangover.56

Techniques Used

  • Spearphishing Attachment - Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.13
  • Spearphishing Link - Patchwork has used spearphishing with links to deliver files with exploits to initial victims.2
  • Drive-by Compromise - Patchwork has used watering holes to deliver files with exploits to initial victims.2
  • System Information Discovery - Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server .1
  • System Owner/User Discovery - Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.1
  • Credential Dumping - Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.1
  • Security Software Discovery - Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).1
  • Masquerading - Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."1
  • File and Directory Discovery - A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.1
  • Process Hollowing - A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.1
  • Remote File Copy - A Patchwork payload downloads additional malware from the C2 server.3
  • Web Service - Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.3

Software