14 DAY TRIAL // The Patchwork APT, also known as Dropping Elephant, a cyber-espionage group that some security vendors think may be operating from India, has changed its mode of operation and has started targeting private companies from different countries around the world.
The work of the Patchwork APT came to light at the beginning of the month, when security firm Cymmetria published a report on its operations.
The company nicknamed the group "the copy-paste APT" because of its habit of putting together malware using publicly available and low-quality code.
Patchwork hackers now target private companies as well
Their report, along with another one published by Kaspersky a few days later, revealed that the group had mainly targeted government organizations in countries surrounding Southeast Asia and the South China Sea territory.
In a report released today, Symantec researchers claim to have found new evidence that shows that this two-year-old cyber-espionage group branched out to target privately owned businesses.
Researchers discovered new Patchwork targets that operate in the following fields of activity: aviation, broadcasting, energy, financial, non-governmental organizations (NGO), pharmaceutical, public sector, publishing, and software.
These companies are not found only in the geographical area previously targeted by Patchwork operations but are also located in the UK and the US.
Patchwork APT uses same ol' tricks
The group did not update its TTP (tactics, techniques, and procedures) and continued to use spear-phishing emails with the same theme that revolved around China's external political relations.
In the vast majority of cases, these emails included malicious PowerPoint files that attempted to use the CVE-2014-4114 exploit to install malware on the target's PC, as Cymmetria had originally reported.
In the new campaign, Word documents that deployed exploits for CVE-2015-1641 and CVE-2012-0158 were used as well, and in some cases, the spear-phishing emails didn't come with an attachment but contained links to a website from where the user would download the malicious file themselves.
Symantec reports that these files tried to install the Enfourks (via PowerPoint files) and Steladok (via Word files) backdoor trojans, which would collect sensitive information from infected computers and upload it to online servers.