Resources

Şub 27, 2024

9 Mins Read

Dark Web Profile: Patchwork APT

The Patchwork APT group, identified in December 2015 but probably active since 2009, is a cyber espionage entity suspected to be based in India. It targets a variety of high-profile entities, including government, defense, and diplomatic organizations, primarily in South and Southeast Asia, but has also expanded its operations to other regions. Known for utilizing spear phishing and watering hole attacks, Patchwork employs a range of custom tools and techniques for espionage, making it a significant threat in the cyber threat landscape.

Threat Actor Card, Patchwork APT

Who is Patchwork APT

The Patchwork APT group, also identified under various aliases such as Dropping Elephant and Quilted Tiger or Viceroy Tiger, emerged in December 2015. Originating from India, Patchwork focuses on cyber espionage, targeting diplomatic and economic sectors with ties to China. Utilizing a blend of spear phishing and watering hole attacks, this group demonstrates a keen interest in intelligence gathering from multiple high-profile international targets. Their sophisticated cyber operations underscore the evolving landscape of global cyber threats and the necessity for vigilant cybersecurity defenses.

Image depicting Patchwork APT, created with Dall-E powered Bing AI Image Creation

Since its first detection in 2015, the Patchwork APT group has evolved from using rudimentary tactics to employing sophisticated cyber espionage strategies. Initially focusing on targets in South and Southeast Asia, the group expanded its operations globally, targeting entities in Europe and North America. Patchwork’s modus operandi includes leveraging spear phishing and watering hole attacks and exploiting malware distribution vulnerabilities.

Victimology

Patchwork APT focuses on government, defense, diplomatic entities, and academic institutions across South and Southeast Asia, extending to Europe and North America. Their operations have even notably targeted US think tanks and individuals involved in Chinese foreign relations, showcasing a strategic interest in geopolitical dynamics. The most targeted sectors of Patchwork’s cyber intrusions are Aviation, Defense, Energy, Financial, Government, IT, Media, NGOs, Pharmaceutical, and Think Tanks.

Target Countries of Patchwork APT (SOCRadar)

Therefore, Patchwork APT strategically targets high-profile diplomats and economists engaged in foreign relations with China, utilizing a custom set of cyber tools for espionage. The group’s operations extend to several countries, including Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia, and the US. 2018 dated campaigns of Patchwork, focusing on think tank groups in the US also drew attention to the group. This pattern of targeting reveals Patchwork’s interest in gathering intelligence on international diplomatic and economic policies and strategies.

Technical Capabilities and Tools

Patchwork APT employs spear phishing and watering hole attacks as primary vectors for infiltration. Spear phishing campaigns are meticulously crafted to target specific individuals within the organizations of interest, often leveraging social engineering techniques to deceive recipients into opening malicious attachments or clicking on compromised links.

Watering hole attacks involve compromising legitimate websites frequented by the group’s targets, aiming to exploit vulnerabilities in their web browsers or other software to deliver malware. These methods showcase Patchwork’s adaptability and focus on using human and system vulnerabilities to achieve their objectives.

Vulnerability card of CVE-2017-0261 (SOCRadar)

In a cyber attack in 2021, a malicious Microsoft document exploited CVE-2017-0261, a vulnerability enabling remote code execution by improperly handling objects in memory. Analysis of the EPS script within the document revealed sophisticated mechanisms for dropping and executing Patchwork’s payloads, notably a custom keylogger identified by its unique SHA-256 hash.

Recorded CVE Exploits of Patchwork APT

Of course, their arsenal goes way beyond a Microsoft document; Patchwork APT’s arsenal includes malware like the BADNEWS RAT and VajraSpy, an Android-targeted RAT. Their techniques for maintaining access and exfiltrating data demonstrate advanced capabilities in utilizing vulnerabilities, social engineering, and encryption for stealthy operations.

Most recently, ESET researchers uncovered a sophisticated espionage campaign conducted by the Patchwork APT group, involving twelve Android apps bundled with VajraSpy, a remote access trojan (RAT). Six apps were on Google Play, and six were on other platforms. The apps, disguised as messaging tools, targeted users primarily in Pakistan, employing honey-trap romance scams to lure victims into downloading the malware. The campaign, which utilized Firebase Hosting for command and control servers, exfiltrated various data, including contacts and messages. Despite being removed from Google Play, the apps reached over 1,400 installs. Weak operational security exposed 148 compromised devices, mostly in Pakistan and India.

Associated Malware with Patchwork APT in SOCRadar Platform

Mitigations and Defense

The Patchwork APT group’s activities result in significant information theft and unauthorized remote access, posing risks to national security and intellectual property. Their targeted cyber espionage campaigns have broader geopolitical implications, influencing international relations and potentially destabilizing regional security dynamics.

Implement Email Filtering: Patchwork APT often utilizes spear-phishing campaigns to target specific individuals within government, defense, diplomatic entities, and academic institutions. Email filtering solutions can detect and block malicious emails containing phishing attempts, reducing the risk of employees falling victim to deceptive tactics aimed at delivering malware or stealing credentials.
Patch Management: They frequently exploit known vulnerabilities to deliver malware and gain unauthorized access to systems. Implementing robust patch management practices ensures that all software vulnerabilities are promptly addressed with the latest security patches, reducing the likelihood of successful exploitation by threat actors.
Endpoint Security: Their operations involve deploying custom malware like VajraSpy, targeting Android devices to conduct espionage. Comprehensive endpoint security solutions can detect and block malicious activities, including the execution of remote access trojans (RATs), thereby protecting endpoints from compromise.
Network Segmentation: Patchwork APT targets a wide range of sectors, including Aviation, Defense, Energy, Financial, Government, IT, Media, NGOs, Pharmaceutical, and Think Tanks. Implementing network segmentation isolates critical systems and sensitive data, limiting the lateral movement of attackers within the network and minimizing the potential impact of breaches.
Access Control: They strategically target high-profile diplomats, economists, and individuals involved in Chinese foreign relations. Enforcing strict access control measures, such as the principle of least privilege, restricts unauthorized access to sensitive information, reducing the risk of compromise by threat actors seeking to gather intelligence on diplomatic and economic policies.
Multi-Factor Authentication (MFA): They employ sophisticated techniques like spear phishing to compromise user accounts and gain unauthorized access to systems. Implementing MFA adds an extra layer of security, making it more difficult for attackers to compromise accounts, even if passwords are compromised through phishing attacks.
Behavioral Analysis: They utilize social engineering techniques and custom malware like BADNEWS RAT to maintain access and exfiltrate data stealthily. Behavioral analysis tools can detect anomalous activities indicative of a security breach, allowing organizations to respond promptly and mitigate the impact of intrusions by threat actors.
Incident Response Plan: In the event of a security breach or compromise, having a well-defined incident response plan ensures a swift and coordinated response to contain the threat, minimize disruption, and restore normal operations. Regularly testing the incident response plan helps identify areas for improvement and ensures readiness to handle cyber incidents effectively.
User Awareness Training: Provide comprehensive cybersecurity awareness training to employees to educate them about the risks associated with phishing attacks, malicious attachments, and social engineering tactics used by threat actors. Empowering users to recognize and report suspicious activities can help prevent successful infections and campaigns.

In summary, it’s crucial to avoid clicking on unverified links, not to open untrusted email attachments, apply all available patches for vulnerabilities, keep security software updated, and implement rigorous patch management practices. Additionally, enhancing security measures through network and system hardening, alongside code hardening, can significantly reduce the risk of compromise.

To counter the sophisticated cyber espionage tactics employed by the Patchwork APT group further, organizations are also advised to adopt a proactive cybersecurity posture.

SOCRadar Threat Actor Page

SOCRadar’s Extended Threat Intelligence embodies an innovative advancement from conventional threat intelligence platforms, incorporating sophisticated functionalities that enhance threat detection and visibility significantly. This advanced solution employs robust machine learning technologies to scrutinize extensive volumes of threat data gathered from diverse open sources, social media platforms, and the dark web. Through the utilization of this holistic methodology, SOCRadar’s XTI empowers security teams to promptly discern and rank threats, furnishing them with proactive security measures.

MITRE ATT&CK TTPs of Patchwork APT

Phase	Technique(s)
Reconnaissance	T1430 – Location Tracking, T1420 – File and Directory Discovery, T1517 – Access Notifications, T1426 – System Information Discovery, T1057 – Process Discovery, T1422 – System Network Configuration Discovery, T1033 – System Owner/User Discovery, T1418 – Application Discovery
Weaponization	T1204.002 – Malicious File, T1221 – Template Injection, T1132 – Data Encoding, T1218.001 – Compiled HTML File
Delivery	T1190 – Exploit Public-Facing Application, T1566 – Phishing, T1434 – App Delivered via Email Attachment, T1534 – Internal Spearphishing, T1566.001 – Spearphishing Attachment, T1193 – Spearphishing Attachment
Exploitation	T1055 – Process Injection, T1203 – Exploitation for Client Execution, T1481 – Web Service, TA0011 – Command and Control, T1071 – Application Layer Protocol, T1071.001 – Web Protocols, T1105 – Ingress Tool Transfer
Installation	T1053 – Scheduled Task/Job, T1053.005 – Scheduled Task, T1059 – Command and Scripting Interpreter, T1059.005 – Visual Basic, T1059.003 – Windows Command Shell
Command & Control	T1559 – Inter-Process Communication
Actions on Objectives	T1560 – Archive Collected Data, T1082 – System Information Discovery, T1176 – Browser Extensions, T1437 – Standard Application Layer Protocol, T1005 – Data from Local System, T1533 – Data from Local System, T1025 – Data from Removable Media, T1417 – Input Capture, T1512 – Capture Camera, T1113 – Screen Capture
Exfiltration	T1048.003 – Exfiltration Over Unencrypted/Obfuscated Protocol
Persistence	T1398 – Modify OS Kernel or Boot Partition, T1574 – Hijack Execution Flow, T1027 – Obfuscated Files or Information