APT Group ‘Patchwork’ Cuts-and-Pastes a Potent Attack

An advanced persistent threat tied to Southeast Asia and the South China Sea is targeting governments and entities around the world including the U.S. The attacks are unique, according to security experts, because the perpetrators are relying nearly 100 percent on computer code copied-and-pasted from sources on the web.

Cymmetria Research, which discovered the APT and today released a report on the attacks, calls those responsible for the attacks Patchwork because the group has piece-mealed computer code from sources such as open-source repository GitHub, the dark web and hidden criminal forums. “Those behind these attacks have copied, pasted and pieced together everything from penetration tools, malware and post-intrusion attack tools,” said Gadi Evron, founder and CEO of Cymmetria Research.

“This group shows how low the bar has been moved for a successful APT attack to take flight,” Evron said. “We are impressed that these attacks were able to infiltrate high-end organizations given the apparent low technical aptitude of the attackers,” he said.

Patchwork attackers are believed to be of Indian origin and gathering intelligence from influential parties tied to Southeast Asia and the South China Sea. Threat actors, Cymmetria said, were active during the Indian time zone. However, the report’s authors point out, it’s not possible to say conclusively that the attacks were originating in India. The report added, while it also can’t be said definitively, the attacks may be related to similar APT Hangover/Appin.

“Patchwork is a highly successful APT operation, infecting approximately 2,500 high-value targets worldwide,” the report states. Attacks began in the December timeframe. It’s unclear as to why the attackers relied on second-hand computer code. However, what might appear amateurish has been highly effective when it came to the attacker’s second stage toolsets – meant for persistence and to avoid detection.

According to Cymmetria the attacks target entities in the United States as well as Europe, the Middle East, South Asia and the Asia and Pacific regions. “It would be more accurate to say that targets were chosen worldwide with a focus on personnel working on military and political assignments – specifically, but not limited to, intelligence requirements concentrating on Southeast Asia and the South China Sea. Many of the targets were governments and government related organizations,” according to the report.

Evron said most infections on targeted systems were initiated via spear phishing campaigns that included emails that contained content related to Southeast Asia and the South China Sea. In one incident, Patchwork attackers enticed email recipients to download a presentation titled “Is China’s assertiveness in the South China Sea likely to affect Australia’s national interest over the next ten years?”

In that incident, the presentation, if opened, contained the Sandworm vulnerability (CVE-2014-4114), which infects unpatched versions of Microsoft Office PowerPoint 2003 and 2007. Targeted systems were also infected with sysvolinfo.exe (the first stage payload of the APT) and 7zip.exe (second stage malware), according to the report.

During the course of Cymmetria’s investigation, it managed to access to one of Patchwork’s command and control servers where it found a stash of infected Microsoft PowerPoint files used in spear phishing attacks along with additional malicious code packages. “Most of the spear phishing file content was directly related to China-related subjects, or pornographic in nature,” according to the report.

As part of the investigation, Cymmetria was able to pull back the curtain on some of the second stage tools used by attackers and identify how intruders moved laterally through the network. Those tools included a compiled AutoIt script to escalate privileges by exploiting the computer’s user account control system along with PowerSploit, Meterpreter and the well-known Metasploit framework.

The exfiltration of data to a command and control server, according to Cymmetria, was once again carried out using a second stage payload built from code taken from various online forums and resources, according to the report.

“Unlike other APT threat actors, India seems to be a relatively quiet locale for cyber espionage activity. The scope and scale of this operation are quite surprising. This suggests that additional geopolitical powers are actively developing offensive cyber capabilities whilst simultaneously making attempts to maximize return on investment by keeping development costs to a minimum,” wrote the report authors.