ATK11

Presumed Origin: India < Back

Alias: APT-C-09, Chinastrats, Dropping Elephant, Monsoon, Operation Hangover, Patchwork, Quilted Tiger, Sarit

ATK11 (aka: Patchwork) is a cyber espionage group active since at least 2010. One of its specificity is the use of code copy-pasted from multiple online forums combined with high quality social engineering. It started by the Operation Hangover which goal seemed to be the surveillance of targets of national security interests for India such as Pakistan or the Nagaland movement. This group was involved in the MONSOON campaign targeting multiple Indian neighbour in various sectors.

Patchwork used actuality/sector related themes in lure documents exploiting known vulnerabilities in Microsoft Office software send via email with links to websites customized for the intended target. The group is continuously adding new exploit (not 0-days) in their arsenal.

Patchwork uses different web services as C2 channel like RSS feeds, Github, forums, blogs or dynamic DNS hosts. These channels can be difficult to detect in legitimate traffic.

Some RTF files used by this group was linked with C2 servers which were compromised and defanced by "R00t D3str0y3r" from "Indian Cyber Gangsters" or "lulzsec india" which is an anti-Pakistan group. By following the alias "R00t D3str0y3r", Fortinet managed to get his identity in their article of April 2017. Nevertheless, Fortinet can't says if "R00t D3str0y3r" is really linked to the BADNEWS malware or if it is a coincidence.

Multiple articles showed similarities between Patchwork behaviors and other groups': Confucius, Bahamut, Donot Team or BITTER APT, but there is no definitive conclusion as to whether these groups are the same or not.

REFERENCES

- MITRE, Patchwork, https://attack.mitre.org/groups/G0040/
- 20/05/2013, Operation Hangover, http://www.thecre.com/fnews/wp-content/uploads/2013/05/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf
- 07/07/2016, Cymmetria, Unveiling PATCHWORK The Copy-Paste APT, https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf
- 08/07/2016, Kaspersky, The Dropping Elephant – aggressive cyber-espionage in the Asian region, https://securelist.com/the-dropping-elephant-actor/75328/
- 25/07/2016, Symantec, Patchwork cyberespionage group expands targets from governments to wide range of industries, https://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries
- 08/08/2016, Forcepoint, MONSOON - Analysis Of An APT Campaign, https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign
- 30/01/2017, PaloAlto, Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments, https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/
- 05/04/2017, Fortinet, In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1, https://www.fortinet.com/blog/threat-research/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1.html
- 05/04/2017, Fortinet, In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2, https://www.fortinet.com/blog/threat-research/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2.html
- 12/06/2017, bellingcat, Bahamut, Pursuing a Cyber Espionage Actor in the Middle East, https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/
- 07/03/2018, Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent, https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
- 08/03/2018, Netscout, Donot Team Leverages New Modular Malware Framework in South Asia, https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia
- 30/03/2018, 360.net, Analysis of the latest cyberattack activities of sensitive organizations in China by the APT organization, https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
- 07/06/2018, Volexity, Patchwork APT Group Targets US Think Tanks, https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
- 29/08/2018, TrendMicro, The Urpage Connection to Bahamut, Confucius and Patchwork, https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/
- 09/10/2018, TrendMicro, Untangling the Patchwork Cyberespionage Group, https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf
- 09/10/2018, TrendMicro, Untangling the Patchwork Cyberespionage Group (Technical Brief), https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite
- 29/11/2018, 360.net, Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups, https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/
- 02/08/2019, NSHC, SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government, https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/

Target sector

Aviation
Embassies
Energy
Financial Services
Government and administration agencies
Military
Non-governmental organizations
Pharmacy and drug manufacturing
Political Organizations
Public Services
Software

Target countries

Bangladesh
China
Israel
Japan
Korea, Republic of
Pakistan
Sri Lanka
United Kingdom Of Great Britain And Northern Ireland
United States Of America

Attack pattern

T1003 - Credential Dumping
T1005 - Data from Local System
T1009 - Binary Padding
T1010 - Application Window Discovery
T1020 - Automated Exfiltration
T1022 - Data Encrypted
T1024 - Custom Cryptographic Protocol
T1025 - Data from Removable Media
T1027 - Obfuscated Files or Information
T1032 - Standard Cryptographic Protocol
T1033 - System Owner/User Discovery
T1036 - Masquerading
T1039 - Data from Network Shared Drive
T1041 - Exfiltration Over Command and Control Channel
T1043 - Commonly Used Port
T1045 - Software Packing
T1053 - Scheduled Task
T1056 - Input Capture
T1059 - Command-Line Interface
T1060 - Registry Run Keys / Startup Folder
T1063 - Security Software Discovery
T1064 - Scripting
T1066 - Indicator Removal from Tools
T1071 - Application Layer Protocol
T1071 - Standard Application Layer Protocol
T1073 - DLL Side-Loading
T1074 - Data Staged
T1076 - Remote Desktop Protocol
T1082 - System Information Discovery
T1083 - File and Directory Discovery
T1086 - PowerShell
T1088 - Bypass User Account Control
T1093 - Process Hollowing
T1102 - Web Service
T1105 - Remote File Copy
T1107 - File Deletion
T1112 - Modify Registry
T1113 - Screen Capture
T1114 - Email Collection
T1116 - Code Signing
T1119 - Automated Collection
T1132 - Data Encoding
T1140 - Deobfuscate/Decode Files or Information
T1158 - Hidden Files and Directories
T1173 - Dynamic Data Exchange
T1189 - Drive-by Compromise
T1192 - Spearphishing Link
T1193 - Spearphishing Attachment
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1247 - Acquire OSINT data sets and information
T1249 - Conduct social engineering
T1312 - Compromise 3rd party infrastructure to support delivery
T1345 - Create custom payloads
T1346 - Obtain/re-use payloads
T1362 - Upload, install, and configure software/tools
T1497 - Virtualization/Sandbox Evasion

Motivation

Espionage
Information theft

Malwares

BADNEWS
Backconfig
Enfourks
NDiskMonitor
QuasarRAT
SocksBot
TINYTYPHON
Taskhost Stealer
Unkown Logger Public
Wintel Stealer

Vulnerabilities

CVE-2012-0158
CVE-2012-0422
CVE-2012-1856
CVE-2012-4792
CVE-2014-1761
CVE-2014-4114
CVE-2014-6352
CVE-2015-1641
CVE-2015-2545
CVE-2016-0034
CVE-2016-4171
CVE-2017-0199
CVE-2017-0261
CVE-2017-8570
CVE-2017-11882
CVE-2017-12824