Security experts from Symantec have spotted a new cyber espionage campaign managed by the Patchwork group targeting organizations in multiple industries.
The hacker crew is a well-known group, its activities are focused on diplomatic and government targets, but this last campaign demonstrates its interested in companies too.
The group is also known as Dropping Elephant, its campaigns were documented by researchers at Kaspersky that highlighted the interest of the group in Chinese foreign relations.
The group’s activities, this time, were also extended outside Asia, almost half of the targets of this last campaigns were based in the U.S.
Experts from Symantec revealed that recent attacks targeted companies and organizations in multiple industries, including aviation, broadcasting, energy, financial, NGO, pharmaceutical, public sector, publishing and also software.
“As other researchers observed, Patchwork originally targeted governments and government-related organizations. However, the group has since expanded its focus to include a broader range of industries.” states the report from Symantec. “According to Symantec telemetry, targeted organizations are located in dispersed regions. Although approximately half of the attacks focus on the US, other targeted regions include China, Japan, South East Asia, and the United Kingdom.”
The Patchwork activities leveraged on ready-made offensive toolsets, but their actions were very effective due to the use of high-quality social engineering.
The group’s activities were documented earlier this month by researchers at Kaspersky Lab, who noted in their analysis that China’s foreign relations efforts appear to represent the main interest of the attackers.
The Patchwork used a legitimate mailing list provider to send newsletter-like emails to target organizations. The content of the sites pointed by the link in the bogus emails was specifically crafted to be of interest for the target companies.
The malicious websites have links to .pps (PowerPoint) or .doc (Word) files that were hosted on other domains. When victims download and open the files attempt to exploit known flaws in Microsoft Office to compromise the victim’s PC.
“The PowerPoint files appear to exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), which was used in the Sandworm attacks against American and European targets in October 2014. The rich text files typically attempt to exploit the Microsoft Office Memory Corruption Vulnerability(CVE-2015-1641), which was patched in April 2015. We have also confirmed an older flaw being exploited, theMicrosoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).” continues Symantec.
Some of the vulnerabilities exploited in the Patchwork attacks were well known and fixed more than one year ago.
Experts at Symantec highlighted that the PowerPoint files used by the hacker crew try to exploit the CVE-2014-4114 flaw to deliver the Enfourks backdoor.
The .doc files used by the group try to exploit the CVE-2012-0158 or CVE-2015-1641 flaws in order to deliver the Steladok backdoor.
(Security Affairs – Patchwork group, cyber espionage)