ATK11

Presumed Origin: India < Back

Alias: APT-C-09, Chinastrats, Dropping Elephant, Monsoon, Operation Hangover, Patchwork, Quilted Tiger, Sarit

ATK11 (aka: Patchwork) is a cyber espionage group active since at least 2010. One of its specificity is the use of code copy-pasted from multiple online forums combined with high quality social engineering. It started by the Operation Hangover which goal seemed to be the surveillance of targets of national security interests for India such as Pakistan or the Nagaland movement. This group was involved in the MONSOON campaign targeting multiple Indian neighbour in various sectors.

 

Patchwork used actuality/sector related themes in lure documents exploiting known vulnerabilities in Microsoft Office software send via email with links to websites customized for the intended target. The group is continuously adding new exploit (not 0-days) in their arsenal.

 

Patchwork uses different web services as C2 channel like RSS feeds, Github, forums, blogs or dynamic DNS hosts. These channels can be difficult to detect in legitimate traffic.

 

Some RTF files used by this group was linked with C2 servers which were compromised and defanced by "R00t D3str0y3r" from "Indian Cyber Gangsters" or "lulzsec india" which is an anti-Pakistan group. By following the alias "R00t D3str0y3r", Fortinet managed to get his identity in their article of April 2017. Nevertheless, Fortinet can't says if "R00t D3str0y3r" is really linked to the BADNEWS malware or if it is a coincidence.

 

Multiple articles showed similarities between Patchwork behaviors and other groups': Confucius, Bahamut, Donot Team or BITTER APT, but there is no definitive conclusion as to whether these groups are the same or not.

 

REFERENCES

Target sector

  • Aviation
  • Embassies
  • Energy
  • Financial Services
  • Government and administration agencies
  • Military
  • Non-governmental organizations
  • Pharmacy and drug manufacturing
  • Political Organizations
  • Public Services
  • Software

Target countries

  • Bangladesh
  • China
  • Israel
  • Japan
  • Korea, Republic of
  • Pakistan
  • Sri Lanka
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America

Attack pattern

  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1009 - Binary Padding
  • T1010 - Application Window Discovery
  • T1020 - Automated Exfiltration
  • T1022 - Data Encrypted
  • T1024 - Custom Cryptographic Protocol
  • T1025 - Data from Removable Media
  • T1027 - Obfuscated Files or Information
  • T1032 - Standard Cryptographic Protocol
  • T1033 - System Owner/User Discovery
  • T1036 - Masquerading
  • T1039 - Data from Network Shared Drive
  • T1041 - Exfiltration Over Command and Control Channel
  • T1043 - Commonly Used Port
  • T1045 - Software Packing
  • T1053 - Scheduled Task
  • T1056 - Input Capture
  • T1059 - Command-Line Interface
  • T1060 - Registry Run Keys / Startup Folder
  • T1063 - Security Software Discovery
  • T1064 - Scripting
  • T1066 - Indicator Removal from Tools
  • T1071 - Application Layer Protocol
  • T1071 - Standard Application Layer Protocol
  • T1073 - DLL Side-Loading
  • T1074 - Data Staged
  • T1076 - Remote Desktop Protocol
  • T1082 - System Information Discovery
  • T1083 - File and Directory Discovery
  • T1086 - PowerShell
  • T1088 - Bypass User Account Control
  • T1093 - Process Hollowing
  • T1102 - Web Service
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1112 - Modify Registry
  • T1113 - Screen Capture
  • T1114 - Email Collection
  • T1116 - Code Signing
  • T1119 - Automated Collection
  • T1132 - Data Encoding
  • T1140 - Deobfuscate/Decode Files or Information
  • T1158 - Hidden Files and Directories
  • T1173 - Dynamic Data Exchange
  • T1189 - Drive-by Compromise
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1203 - Exploitation for Client Execution
  • T1204 - User Execution
  • T1247 - Acquire OSINT data sets and information
  • T1249 - Conduct social engineering
  • T1312 - Compromise 3rd party infrastructure to support delivery
  • T1345 - Create custom payloads
  • T1346 - Obtain/re-use payloads
  • T1362 - Upload, install, and configure software/tools
  • T1497 - Virtualization/Sandbox Evasion

Motivation

  • Espionage
  • Information theft

Malwares

  • BADNEWS
  • Backconfig
  • Enfourks
  • NDiskMonitor
  • QuasarRAT
  • SocksBot
  • TINYTYPHON
  • Taskhost Stealer
  • Unkown Logger Public
  • Wintel Stealer

Vulnerabilities

  • CVE-2012-0158
  • CVE-2012-0422
  • CVE-2012-1856
  • CVE-2012-4792
  • CVE-2014-1761
  • CVE-2014-4114
  • CVE-2014-6352
  • CVE-2015-1641
  • CVE-2015-2545
  • CVE-2016-0034
  • CVE-2016-4171
  • CVE-2017-0199
  • CVE-2017-0261
  • CVE-2017-8570
  • CVE-2017-11882
  • CVE-2017-12824