Patchwork APT Group Targets US Think Tanks
By mindgrub
Published: 2018-06-07 · Archived: 2026-04-05 15:08:05 UTC
In March and April 2018, Volexity identified multiple spear phishing campaigns attributed to Patchwork, an Indian
APT group also known as Dropping Elephant. This increase in threat activity was consistent with other
observations documented over the last few months in blogs by 360 Threat Intelligence Center analyzing attacks on
Chinese organizations and Trend Micro noting targets in South Asia. From the attacks observed by Volexity, what
is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based
think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are
leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages.
In three observed spear phishing campaigns, the threat actors leveraged domains and themes mimicking those of
well-known think tank organizations in the United States. The group lifted articles and themes from the Council
on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS), and the Mercator Institute
for China Studies (MERICS) for use in their spear phishing lures and malicious Rich Text Format (RTF)
documents. Strangely, in one case, the threat actors also appear to have used a domain name similar to the Foreign
Policy Research Institute (FPRI) in a message purporting to be from CFR. Each of the spear phishing attacks
contained links to .doc files, which were really RTF documents that attempt to exploit CVE-2017-8570
(Composite Moniker). The threat actors appear to have leveraged publicly available exploit code that can be found
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 1 of 11
on Github at the URL: https://github.com/rxwx/CVE-2017-8570. If the exploit is successful, the threat actors will
attempt to drop and execute QuasarRAT. Details of the malware and the associated attacks are listed below.
Spear Phishing Messages
Each e-mail was sent from the attacker-controlled domain mailcenter.support. This domain was not only used to
send the phishing e-mails, but also to track which targets opened the e-mail. Within each of the HTML-formatted
messages, an embedded image tag is used to beacon home to the attacker’s domain, containing an unique
identifier specific to the recipient.
remained the same, certain elements differed across campaigns observed. Details on each of the messages are
listed below.
Message 1:
Headers Received: by mailcenter.support
Sender China Policy Analysis Subject Chinas Arctic Dream
Body
Content and images included within the e-mail body were a direct copy of the following CSIS
article:
https://www.csis.org/analysis/chinas-arctic-dream
Notes
The hyperlinked text Download File of “China’s Arctic Dream” within the e-mail body lead to
a malicious RTF document located at the URL
hxxp://chinapolicyanalysis.org/Chinas_Arctic_Dream.doc.
The chinapolicyanalysis.org domain was used as the sender address, as well as the hosting
location of the malicious RTF document.
Message 2:
Headers Received: by mailcenter.support
Sender Council on Foreign Relations Subject The Four Traps China May Fall Into
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 2 of 11
Body
Content and images included within the e-mail body were a direct copy of the following CFR
article:
https://www.cfr.org/blog/four-traps-china-may-fall
Notes
Multiple hyperlinks within the e-mail body lead to a malicious RTF document located at the URL
hxxp://fprii.net/The_Four_Traps_for_China.doc.
The fprii.net domain was used as the sender address, as well as the hosting location of the
malicious RTF document. The structure of the domain mimics the Foreign Policy Research
Institute (FPRI), whose actual domain is fpri.net.
Message 3:
Headers Received: by mailcenter.support
Sender Mercator Institute for China Studies
Subject Authoritarian advance Responding to Chinas growing political influence in Europe
Body
Content and images included within the e-mail body were a direct copy of the following MERICS
report:
https://www.merics.org/sites/default/files/2018-
02/GPPi_MERICS_Authoritarian_Advance_2018_1.pdf
Notes
The hyperlinked text Click here to download the report within the e-mail body lead to a
malicious RTF document located at the URL
hxxp://www.mericcs.org/GPPi_MERICS_Authoritarian_Advance_2018_1Q.doc.
The mericcs.org domain was used as the sender address, as well as the hosting location of the
malicious RTF document. The structure of the domain mimics the Mercator Institute for China
Studies (MERICS), whose actual domain is merics.org.
Sample Message
The image below shows an example of how the spear phishing message would look to a recipient.
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 3 of 11
Exploitation and Malware Execution
Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a
blog post or report released by the think tank organization being impersonated. At first glance, everything might
look legitimate, but in the background the target user has likely just been infected with QuasarRAT. QuasarRAT is
a freely available “remote (administration|access) tool” (RAT) written in C# and distributed via Github. This RAT
provides a variety of functionality that makes it particularly attractive to an attacker. This includes, but is not
limited to, the following:
AES encryption of network communication
File management
Functionality to download, upload, and execute files
Keylogging
Remote desktop access
Remote webcam viewing
Reverse proxy
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 4 of 11
Browser and FTP client password recovery
The images below are what a target user opening a malicious RTF document would see from within Microsoft
Word.
When the malicious RTF document is opened, two things happen that allow the attacker malware to run. First, the
“packager trick” is leveraged in order to embed the initial QuasarRAT dropper (qrat.exe) in the malicious RTF
document. Its called the “packager trick” because any file embedded in an RTF file using packager will be
automatically dropped to the %tmp% folder (c:\Users\%username%\AppData\Local\Temp) when the RTF
document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious
“scriptlet” file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious
scriptlet file (displayed below) clearly show the threat actor executing the initial “qrat.exe” dropper from the
current user’s %tmp% directory.
Note: The scriptlet code is an exact match to that shown on the Github page referenced earlier for CVE-2017-
8570. The string “fjzmpcjvqp” is unique and not something likely to be present if the code was not generated with
the same public POC exploit code.
After the initial dropper (qrat.exe) has been executed by the embedded scriptlet, it creates a directory in
C:\Users\%username%\AppData\Roaming\Microsoft Network\microsoft_network\1.0.0.0 and
unpacks/drops the final QuasarRAT binary named microsoft_network.exe.
The malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on
Windows systems. The file, named Microsoft.Win32.TaskScheduler.dll, is digitally signed by a certificate from
AirVPN.
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 6 of 11
This DLL is used to create a scheduled task that points to the QuasarRAT binary, microsoft_network.exe,
allowing it to remain persistent after reboot.
As seen in the image above, the QuasarRAT scheduled task is named Microsoft_Security_Task and runs at 12:00
AM each day. Once the task is triggered, it will then repeat every 5 minutes for 60 days. When executed,
microsoft_network.exe will initiate a request to freegeoip.net in order to determine the geographical location of
the infected host. Immediately following the request, the malware will begin to beacon over an encrypted
connection to the threat actor’s command and control domain tautiaos.com (43.249.37.199). Several related
samples were identified and are included in the File Indicators section below.
Conclusion
The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an
increasing diversity in the geographic regions being targeted. While there were a few peculiar components to some
of the spear phish messages, the campaigns and themes were strategically relevant to the organizations being
targeted. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 7 of 11
they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing
message. This information allows a threat actor to determine if their messages were delivered, which users are
more susceptible to opening them, and basic information regarding the target’s operating system and e-mail client
(or browser). Finally, although the payload observed being delivered by Patchwork in these campaigns is a readily
available open source RAT, it does allow for flexibility in interacting with compromised machines without
needing to use custom malware. Volexity is actively tracking this group and the infrastructure currently in use for
the benefit of its network security monitoring and threat intelligence customers.
File Indicators
Samples Observed from Spear Phishing Messages Above
Filename Chinas_Arctic_Dream.doc
File Size 6587812 bytes
MD5 598eeb6a18233023f3551097aa49b083
SHA1 e9a46966f93fe15c22636a5033c61c725add8fa5
Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.
Filename The_Four_Traps_for_China.doc
File Size 4428595 bytes
MD5 7659c41a30976d523bb0fbb8cde49094
SHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5
Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.
Filename The_Four_Traps_for_China.doc
File Size 4428595 bytes
MD5 7659c41a30976d523bb0fbb8cde49094
SHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5
Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe.
Filename qrat.exe
File Size 1093120 bytes
MD5 c05e5131b196f43e1d02ca5ccc48ec0e
SHA1 f28c592833f234c619917b5c7d8974840a810247
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 8 of 11
Notes
Dropper that installs QuasarRAT file microsoft_network.exe and scheduled task wrapper file
Microsoft.Win32.TaskScheduler.dll.
Filename microsoft_network.exe
File Size 846336 bytes
MD5 9e4c373003c6d8f6597f96fc3ff1f49c
SHA1 b7319a5ccf605fb2ff7760130e212728bccad323
Notes
QuasarRAT file that beacons to hardcoded IP 43.249.37.199 and the domain tautiaos.com. File is
dropped to
C:\Users\%USERNAME%\AppData\Roaming\Microsoft
Network\microsoft_network\1.0.0.0\microsoft_network.exe.
Filename Microsoft.Win32.TaskScheduler.dll
File Size 204488 bytes
MD5 6fa7fce844065ce9c605cbe713f3e170
SHA1 2f7eaad80eab3e9dcc67a003968b35c227290c69
Notes
.NET Task Scheduler Managed Wrapper from https://github.com/dahall/taskschedule. The DLL
is also digitally signed by a certificate from “AirVPN”.
Additional Observed Malware Files
Filename Armed-Forces-Officers.doc
File Size 3226435 bytes
MD5 89beb207e7095d237c4d25c4c6e17e97
SHA1 15010f7cea913f2a36c56da7d73c2b9eb5a3878f
Notes
Malicious RTF document that exploits CVE-2017-8570 and drops a Delphi RAT with the file
name vsrss.exe.
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 9 of 11
Filename Part-I.doc
File Size 11349102 bytes
MD5 92942c54224cd462dd201ae11a560bb8
SHA1 85a21624df2211af3daf05c86a3fbea8271059d3
Notes
Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe. This
is the same file described above.
Filename Part-II.doc
File Size 10156713 bytes
MD5 e32668e569362c96cc56db368b7e821e
SHA1 dadc493abbe3e21610539e1d5a42f523626a6132
Notes
Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file mico-audio.exe. Upon execution it will be installed under the filename crome.exe.
Filename vsrss.exe
File Size 446976 bytes
MD5 5c3456d5932544b779fe814133344fdb
SHA1 7ab750afb25457a81c27a98dc6dfd51c27e61b0e
Notes Delphi RAT file that beacons to ebeijingcn.live.
Filename mico-audio.exe, crome.exe
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 10 of 11
File Size 494592 bytes
MD5 2d8e9fb75e6e816cad38189691e9c9c8
SHA1 2b9a2d5b34b4d79fdfd6c7b861311b12d1627163
Notes
QuasarRAT binary that beacons to hardcoded IP 209.58.176.201 and domain sastind-cn.org. File
starts as mico-audio.exe and installs to C:\Users\%USERNAME%\AppData\Roaming\google-chrome\crome.exe.
Network Indicators
Hostname IP Address Notes
mailcenter.support 221.121.138.139 Domain used to for sending spear phishes and user tracking.
chinapolicyanalysis.org 185.130.212.168
Domain used for spear phish sender e-mail address and to host
malicious documents.
fprii.net 185.130.212.254
Domain used for spear phish sender e-mail address and to host
malicious documents.
mericcs.org 221.121.138.141
Domain used for spear phish sender e-mail address and to host
malicious documents.
tautiaos.com 43.249.37.199
Command and control server observed from QuasarRAT
malware.
sastind-cn.org 209.58.176.201
Command and control server observed from QuasarRAT
malware.
ebeijingcn.live 209.58.169.91
Command and control server observed from Delphi RAT
malware.
Source: https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
Page 11 of 11