Menu
Cyberespionage group Patchwork sets its sights on multiple industries

Cyberespionage group Patchwork sets its sights on multiple industries

The group used to focus on diplomatic and government targets, but now attacks companies too

A cyberespionage group known for targeting diplomatic and government institutions has branched out into many other industries, including aviation, broadcasting, and finance, researchers warn.

Known as Patchwork, or Dropping Elephant, the group stands out not only through its use of simple scripts and ready-made attack tools, but also through its interest in Chinese foreign relations.

The group's activities were documented earlier this month by researchers from Kaspersky Lab, who noted in their analysis that China's foreign relations efforts appear to represent the main interest of the attackers.

In a new report Monday, researchers from Symantec said that the group's recent attacks have also targeted companies and organizations from a broad range of industries: aviation, broadcasting, energy, financial, non-governmental organizations (NGO), pharmaceutical, public sector, publishing and software.

While most of Patchwork's past victims were based in China and Asia, almost half of the recent targets observed by Symantec were based in the U.S.

The group uses a legitimate mailing list provider to send newsletter-like emails to its intended targets. The rogue emails link to websites set up by the attackers with content related to China. Depending on the industry they operate in, victims receive links to websites with content relevant for their business.

The rogue websites have links to .pps (PowerPoint) or .doc (Word) files hosted on other domains. If downloaded and opened, these files attempt to exploit known vulnerabilities in Microsoft Office in order to execute rogue code on users' computers.

The Symantec researchers have observed exploits for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) and the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641).

Since the most recent of those vulnerabilities, CVE-2015-1641, was patched by Microsoft in April 2015, attackers appear confident that their targets have outdated Microsoft Office installations on their computers.

Typically, the PowerPoint file will try to exploit CVE-2014-4114, and if successful, will install a backdoor program called Enfourks that functions as an AutoIT executable. AutoIT is a scripting language for automating graphical user interface interactions.

The .doc files will try to exploit CVE-2012-0158 or CVE-2015-1641 and will try to install a different backdoor program called Steladok. Both of these programs can search for and steal files or can be used to install additional malware components.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments