Skip to content

G0040 Patchwork

Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.1 378

Item Value
ID G0040
Associated Names Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Version 1.5
Created 31 May 2017
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Hangover Group Patchwork and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.649
Dropping Elephant 3 5 6 8
Chinastrats 5
MONSOON MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. 9 6
Operation Hangover It is believed that the actors behind Patchwork are the same actors behind Operation Hangover. 9 2

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Patchwork bypassed User Access Control (UAC).1
enterprise T1560 Archive Collected Data Patchwork encrypted the collected files’ path with AES and then encoded them with base64.7
enterprise T1119 Automated Collection Patchwork developed a file stealer to search C:\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.7
enterprise T1197 BITS Jobs Patchwork has used BITS jobs to download malicious payloads.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.17
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Patchwork used PowerSploit to download payloads, run a reverse shell, and execute malware on the victim’s machine.17
enterprise T1059.003 Windows Command Shell Patchwork ran a reverse shell with Meterpreter.1 Patchwork used JavaScript code and .SCT files on victim machines.78
enterprise T1059.005 Visual Basic Patchwork used Visual Basic Scripts (VBS) on victim machines.78
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Patchwork dumped the login data database from \AppData\Local\Google\Chrome\User Data\Default\Login Data.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Patchwork used Base64 to encode C2 traffic.1
enterprise T1005 Data from Local System Patchwork collected and exfiltrated files from the infected system.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.7
enterprise T1587 Develop Capabilities -
enterprise T1587.002 Code Signing Certificates Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.4
enterprise T1189 Drive-by Compromise Patchwork has used watering holes to deliver files with exploits to initial victims.38
enterprise T1203 Exploitation for Client Execution Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.1536784
enterprise T1083 File and Directory Discovery A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.17
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.7
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Patchwork removed certain files and replaced them so they could not be retrieved.7
enterprise T1105 Ingress Tool Transfer Patchwork payloads download additional files from the C2 server.57
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange Patchwork leveraged the DDE protocol to deliver their malware.7
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Patchwork installed its payload in the startup programs folder as “Baidu Software Update.” The group also adds its second stage payload to the startup programs as “Net Monitor.”1 They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.8
enterprise T1112 Modify Registry A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.7
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.001 Binary Padding Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.7
enterprise T1027.002 Software Packing A Patchwork payload was packed with UPX.5
enterprise T1027.005 Indicator Removal from Tools Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.7
enterprise T1027.010 Command Obfuscation Patchwork has obfuscated a script with Crypto Obfuscator.7
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Patchwork has obtained and used open-source tools such as QuasarRAT.8
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.1578
enterprise T1566.002 Spearphishing Link Patchwork has used spearphishing with links to deliver files with exploits to initial victims.374
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Patchwork has used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.8
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Patchwork attempted to use RDP to move laterally.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task A Patchwork file stealer can run a TaskScheduler DLL to add persistence.7
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Patchwork scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool).1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.4
enterprise T1082 System Information Discovery Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim’s machine.17
enterprise T1033 System Owner/User Discovery Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.17
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.3784
enterprise T1204.002 Malicious File Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.78
enterprise T1102 Web Service -
enterprise T1102.001 Dead Drop Resolver Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.5

Software

ID Name References Techniques
S0129 AutoIt backdoor 9 Bypass User Account Control:Abuse Elevation Control Mechanism PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding File and Directory Discovery
S0475 BackConfig 4 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Deobfuscate/Decode Files or Information File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Native API Command Obfuscation:Obfuscated Files or Information Office Template Macros:Office Application Startup Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery Malicious Link:User Execution
S0128 BADNEWS 97 Web Protocols:Application Layer Protocol Automated Collection Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data Encoding Data from Local System Data from Network Shared Drive Data from Removable Media Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel File and Directory Discovery DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Invalid Code Signature:Masquerading Match Legitimate Name or Location:Masquerading Native API Peripheral Device Discovery Process Hollowing:Process Injection Scheduled Task:Scheduled Task/Job Screen Capture Dead Drop Resolver:Web Service Bidirectional Communication:Web Service
S0272 NDiskMonitor 7 Symmetric Cryptography:Encrypted Channel File and Directory Discovery Ingress Tool Transfer System Information Discovery System Owner/User Discovery
S0194 PowerSploit 1 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0262 QuasarRAT 78 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Symmetric Cryptography:Encrypted Channel Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Non-Standard Port Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Credentials In Files:Unsecured Credentials Video Capture
S0131 TINYTYPHON 9 Automated Exfiltration Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution File and Directory Discovery Obfuscated Files or Information
S0130 Unknown Logger 9 Credentials from Web Browsers:Credentials from Password Stores Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Replication Through Removable Media System Information Discovery System Network Configuration Discovery System Owner/User Discovery

References