14 DAY TRIAL // Since December 2015, a new cyber-espionage group has been launching attacks aimed at several governments and other related organizations working on military and political assignments linked to issues surrounding Southeast Asia and the South China Sea.
This APT (Advanced Persistent Threat) stands apart from all other recent cyber-espionage groups because it doesn't seem to be using its own malware, like, for example, the Pacifier APT.
Instead, the group has been copy-pasting malware source code from GitHub and hacking forums to create a "patchwork" of new threats, hence its name of the Patchwork APT.
Patchwork has made at leat 2,500 victims in the past seven months
Security firm Cymmetria says the group has targeted and infected at least 2,500 machines in several countries since December 2015 alone, but there are clues that the group may have been active since 2014.
For their attacks, the group has used spear-phishing emails that contained PowerPoint files as attachments. Most of these emails used subject lines relating to China's activity in the South China Sea, but sometimes even pornography.
The PowerPoint file contained the Sandworm exploit (CVE-2014-4114) that allowed crooks to infect the underlying operating system with their malware.
Patchwork's malware made up of PowerSploit, Meterpreter, AutoIt, and UACME
Cymmetria says crooks used an assortment of copy-pasted code from known malware and malware kits such as PowerSploit, Meterpreter, AutoIt, and UACME.
This malware jumble effectively created a backdoor trojan, which, in theory, should have been easy to pick up, since most antivirus vendors were well aware of this code and its mode of operation. Unfortunately, the attacks went undiscovered until May 2016, when Cymmetria's security product was the first to catch them.
The attackers used this malware to scour the infected host for several file types and exfiltrate them to their server. If the target contained valuable data, crooks would deploy second-stage malware, also copy-pasted together from known malware.
This second-stage malware would move laterally in the infected network and search for other valuable machines.
Attribution is tricky: India?
As for attribution for these attacks, things aren't that clear. Cymmetria experts have the following to add:
“ Many of the primary targets of this campaign are regional neighbors of India, and other targets seem to be targeted (by their interests, occupation, and by the content of the spear phishing) to issues affecting India. Circumstantially, this targeting correlates with intelligence requirements necessary for a pro-Indian entity. ”
Evidence includes the times of day when the malware was edited and the times of day when the C&C servers were active, while also indicating that all of India's neighbors were among the targets.India is not known as a hotbed for cyber-espionage campaigns. The low technical ability displayed in the crafting of the malware, which uses publicly available code, may support the conclusion of an Indian actor entering the APT stage.
Nevertheless, the same experts say that this evidence could be very well planted to make it look like it's an Indian threat actor behind this campaign. Until further evidence surfaces, 100% attribution will have to wait.
An in-depth analysis of the Patchwork APT's activities, malware, spear-phishing tactics, and more is available via Cymmetria's Unveiling Patchwork the Copy-Paste APT report.
UPDATE: Kaspersky has published its own report on this APT, which they're calling the Dropping Elephant.
