← threatfilter.dev / all groups / Patchwork
Patchwork
Also known as: Hangover Group · Dropping Elephant · Chinastrats · MONSOON · Operation Hangover
Overview
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.
Targets
Diplomacy · Finance · Government · Military · Private sector · Security Service
Regions
Bangladesh · Germany · Pakistan · Sri Lanka
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 6 attributed custom malware families
TTPs — 41 techniques across 13 tactics
Reconnaissance
-
T1598.003Spearphishing Link
Resource Development
-
T1587.002Code Signing Certificates -
T1588.002Tool
Initial Access
-
T1189Drive-by Compromise -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File -
T1559.002Dynamic Data Exchange
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1548.002Bypass User Account Control
Stealth
-
T1027.001Binary Padding -
T1027.002Software Packing -
T1027.005Indicator Removal from Tools -
T1027.010Command Obfuscation -
T1036.005Match Legitimate Resource Name or Location -
T1055.012Process Hollowing -
T1070.004File Deletion -
T1197BITS Jobs -
T1574.001DLL
Defense Impairment
-
T1112Modify Registry -
T1553.002Code Signing
Credential Access
-
T1555.003Credentials from Web Browsers
Discovery
-
T1033System Owner/User Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1518.001Security Software Discovery -
T1680Local Storage Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol
Collection
-
T1005Data from Local System -
T1074.001Local Data Staging -
T1119Automated Collection -
T1560Archive Collected Data
Command and Control
-
T1102.001Dead Drop Resolver -
T1105Ingress Tool Transfer -
T1132.001Standard Encoding
Tools & malware (8)
NDiskMonitor · QuasarRAT · BackConfig · TINYTYPHON · AutoIt backdoor · PowerSploit · BADNEWS · Unknown Logger
Reporting (3)
- Updated BackConfig Malware Targeting Government and Military Organizations in South Asia — Hinchliffe, A. and Falcone, R
- Patchwork APT Group Targets US Think Tanks — Meltzer, M, et al
- Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent — Levene, B. et al.