Application security, Threat Intelligence

Patchwork cyberespionage campaign branches out to strike businesses


The cybergang behind the Patchwork, aka Dropping Elephant, cyberespionage campaign has expanded its reach outside of government organizations and is now hitting the private sector and it manages to cause problems even if the target does not click on the malicious link.

Symantec reported this campaign became active at the latest in November 2015, and possibly several months earlier, when it mainly targeted government and government-related groups with trojan-laced spam emails. It was originally disclosed by Kaspersky Lab in early July.

While Patchwork has maintained its interest in public sector groups, it recently added a new sector, private businesses, to include those in aviation, energy, financial and publishing industries. About half the attacks have taken place against entities in the United States with others striking China, Japan, South East Asia and the U.K.

The gang uses legitimate newsletters subscriber lists to distribute its own newsletters, which instead of just containing news, have links that lead to a malicious websites. Each newsletter is socially engineered to appeal to the target audience by containing information on that companies area of interest thus encouraging the victims to click on the links.

The websites contain a malicious PowerPoint and a rich text file with a Word .doc extension that utilize older Windows vulnerabilities. The PowerPoint file exploits the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), used in the 2014 Sandstorm attacks, while the Word document uses the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641), which was patched in 2015, Symantec Researcher Joji Hamada wrote in a blog.

What is particularly devious about Patchwork is it is damaging even if the target is smart enough to not click on the malicious link.

“If the user chooses to open the file, the computer will be compromised. If the user chooses not to open it, the computer will not be infected. However, Backdoor.Enfourks will be dropped, though not executed, into the temporary directory when the .pps file is opened. This poses a risk of compromise to the intended target,” Hamada said.

Generally, one of two payloads are dropped by these files. The PowerPoint delivers Backdoor.Enfourks and the .doc Backdoor.Steladok. Each can be remotely activated at which time they search for and upload files to a command and control server.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.