Group: Patchwork, Dropping Elephant, ...
|Patchwork, Dropping Elephant, ...|
|Aliases||Patchwork, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover|
Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums.12
- Patchwork - 1234
- Dropping Elephant - 234
- Chinastrats - 3
- MONSOON - MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign.54
- Operation Hangover - It is believed that the actors behind Patchwork are the same actors behind Operation Hangover.56
- Spearphishing Attachment - Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.13
- Spearphishing Link - Patchwork has used spearphishing with links to deliver files with exploits to initial victims.2
- Drive-by Compromise - Patchwork has used watering holes to deliver files with exploits to initial victims.2
- Registry Run Keys / Start Folder - Patchwork added the path of its second-stage malware to the startup folder to achieve persistence.1
- System Information Discovery - Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server .1
- System Owner/User Discovery - Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.1
- Credential Dumping - Patchwork dumped the login data database from
\AppData\Local\Google\Chrome\User Data\Default\Login Data.1
- Security Software Discovery - Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).1
- Masquerading - Patchwork installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as “Net Monitor."1
- File and Directory Discovery - A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.1
- Process Hollowing - A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.1
- Web Service - Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.3
- Exploitation for Client Execution - Patchwork uses malicious documents to deliver remote execution exploits as part of Initial Access.4123
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.