<iframe src="//www.googletagmanager.com/ns.html?id=GTM-WJ3T8G" height="0" width="0" style="display:none;visibility:hidden">

APT report, Patchwork- the copy-paste APT, targeted threat

APT Report: How we caught Patchwork with Cyber Deception

Patchwork is a targeted threat that was disclosed by Cymmetria’s research team last Thursday. Patchwork has affected about 2,500 targets worldwide since December 2015.

APT_1.pngThe threat actor shows a high interest in Southeast Asia, targeting individuals employed by governments and government-related organizations, specifically those dealing with political and military aspects relating to the region. While the attack is global, including targets in the US, Europe, and the Middle East, many of the target countries are in the area surrounding the Indian subcontinent. 

One of the interesting aspects of the report is that it is the first targeted threat captured using a commercial deception product. Using Cymmetria’s MazeRunner, we were able to capture the attacker’s second stage toolset and malware, as well as observe lateral movement activity.

Download MazeRunner Community Edition Today!

To achieve this, we created data on the targeted endpoint. The data was picked up by the threat actor after infecting the system. Thus, when lateral movement was attempted, the threat actor followed our breadcrumbs and connected to an SMB backup decoy, as well as an RDP decoy running in the cloud.

 

APT_2.png
APT_3.png

The threat actor's operation is of impresive scale, especially due to the technical capability displayed, which was low to say the least. The threat actor's malware and toolset were largley constructed from code taken from various online forums and GitHub projects. This is how it received its name: Patchwork- the copy-paste APT. In fact, it would be more appropriate to call this a targeted attack, rather than an ATP, since it wasn't what we would consider to be "advanced".

We do not have enough information available to be able to determine attribution. That said, all the information we do have points to the possibility of the threat actor being Indian, or at the very least pro-India. For example, below you can see a time zone map of the threat actor’s working hours, as broken down by daytime hours, assuming a working day of 9am to 7pm.

 

APT_4.png

 

This investigation was very exciting, and we hope you will find the report we created useful. We also released IoC’s in CSV and STIX formats, along with the MazeRunner campaign file, on Cymmetria Research’s GitHub.

Recent Comments

Larry Seltzer on Weekend break: the 10 best hacking movies

Categories

see all

Leave a Reply