The Patchwork APT group, also known as Dropping Elephant, Chinastrats, Monsoon, Sarit, Quilted Tiger, APT-C-09, and ZINC EMERSON, was first discovered in December 2015. This cyber espionage group targets multiple high-profile Diplomats and economists having foreign relations with China, using a custom set of attack tools. The attacks were generally made through spear phishing campaign or watering hole attacks. This group is suspected to be run by an India based threat actor targeting foreign embassies and diplomatic offices in Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia, and the U.S. At the beginning of 2018, researchers discovered that the Patchwork APT group was also operating spear phishing campaigns targeting think tank groups from the U.S.
Recently, in January 2021, the research team at Cyble observed the Patchwork APT cyber espionage group targeting China with a malformed document named “Chinese_Pakistani_fighter_planes_play_war_games.docx”. We suspect that the attack is executed in the form of spear phishing emails with malicious attachments. We discovered that the attack used techniques such as exploitation of long-closed vulnerabilities and social engineering campaigns.
The image below showcases Chinese and Pakistani fighter war games with a CVE-2017-0261 exploit code that drops and executes Patchwork APT payloads on victim machines.
Technical Analysis:
Our analysis is based on a sample that was found in the wild on January 18, 2021 with SHA- 256 7fb7944fb452d8588194ea746910ed782865efb991fa02479e429f8fba677d3b. The sample is a malcrafted Microsoft document with an EPS script that exploits the CVE-2017-0261 vulnerability.
CVE-2017-0261 is Microsoft Office remote code execution vulnerability in which the software fails to properly handle objects in the memory. It allows the attacker to install and run additional payloads on the victim machine. This APT group implants an extracted EPS script dropped and executed by the malicious document. The following image shows the content of the EPS file with the icon.
The malcrafted EPS scripts drops a Patchwork payload file named “MSBuild.exe” with SHA256- 446e00a53014006804135ef1c31dac6837c0cf635c26426e396b3067764f956d in the path of the infected host as highlighted below. This is a VC+ compiled file with encrypted data, which decrypts and loads the Windows API function dynamically during runtime.
File Path- %Users%\%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder
Interestingly, the payload file has a hardcoded command and control (C2) server IP, URL and User agent as shown in the image below.
Upon execution, this file creates a Mutex named “asssszxxzcccjdddddccccdjjjddssdfgredf ” to mark its presence on the victim machine and avoid multiple executions of itself as shown in the process explorer image below.
The malware payload starts collecting information from the victim system such as computer name, comspec, home directory, logon server, the number of processors, and much more using Windows API such as GetComputerNameA, GetTempPath, and GetConsoleWindow. The image below shows the system information collected during our analysis.
The following image shows the stack data, which includes collected system information such as a universally unique identifier (UUID), username (#un), computer name (#cn), IP address (#lan), number of processor (#nop) and version (#ver) along with the C2 IP.
The Patchwork payload logs keystrokes, screenshots, and running processes with date and time and stores them in a file named TPX498.dat, in a %Temp% folders. The image below depicts the contents of the keylogger data file. The payload file also drops an 9PT568.dat file with ID:e29ac6c0-7037-11de-816d-806e6f6e69638e6d which might be used for network data encryption.
Then malware uses the custom encryption logic to encode data and send it to the C2 server over HTTP communication, as depicted in the Wireshark image below. The multiple process threads of MSBuild.exe are responsible for sharing encoded stolen data in a POST request to the server. Each request body of the POST request ends with a unique identification value &crc=e3a6.
The Patchwork APT campaign has autostart capabilities by adding the payload files in a %Startup folder% of the victim machine so that it can execute on every reboot of the system.
The APT group employs the following registry entry for its persistence on the victim machine.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filename.exe
Our recommendations are:
- Refrain from clicking on unverified/unidentified links.
- Do not open untrusted email attachments.
- Patch all open vulnerabilities or follow rigid patch management.
- Keep your Security software updated.
The Patchwork APT group has expanded its wings with enhanced malware toolsets and has been targeting China and other regions through spear phishing attacks. In recent attacks, the Patchwork group has been using a payload that is a modified or custom-built RAT instead of using readily available remote admin tools.
The research team at Cyble is continuously monitoring to harvest the threat indicators/TTPs of emerging APTs in the wild to ensure that targeted organizations are well informed and proactively protected.
Indicators of Compromise (IOCs):
| Indicator | Description |
| 176.107.181[.]213 | C2 server IP by Patchwork APT |
| 446e00a53014006804135ef1c31dac6837c0cf635c26426e396b3067764f956d | SHA-256 of Patchwork keylogger payload file MSBuild.exe |
| 79b3453196841d01f953bdf8aa5eddd69aa66c92387bcf2584341794ccfd3b89 | Image1.eps script dropper component of exploit CVE-2017-0261 |
| 7fb7944fb452d8588194ea746910ed782865efb991fa02479e429f8fba677d3b | Exploit CVE-2017-0261 document. Chinese_Pakistani_fighter_planes_play_war_games.docx |
| asssszxxzcccjdddddccccdjjjddssdfgredf | Mutant object name |
MITRE ATT&CK Framework:
| ID | Description | Use |
| T1548.001 | Abuse Elevation Control Mechanism: Bypass User Account Control | Uses CVE-2017-0261, a privilege elevation vulnerability in Windows Win32k component |
| T1560.006 | Command and Scripting Interpreter: EPS script | Uses the EPS script to deliver payload. |
| T1560 | Archive Collected Data | Encrypts the collected files path with AES and then encodes them with base64. |
| T1119 | Automated Collection | Develops a file stealer to search the C:\ folder and collect files with certain extensions, executes a script to enumerate all drives, store them as a list, and uploads the generated files to the C2 server. |
| T1547.001 | Boot or Logon Autostart Execution: Image File Execution Options Registry Keys / Startup Folder | It has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding an Image File Execution Options Registry key. |
| T1566.001 | Phishing: Spearphishing Attachment | Uses spear phishing with an attachment to deliver files with exploits to initial victims. |
| T1203 | Exploitation for Client Execution | Uses malicious documents to deliver remote execution exploits. The group has used CVE-2017-0261. |
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
