# A Deep Dive Into Patchwork APT Group #### cybleinc.com/2021/01/20/a-deep-dive-into-patchwork-apt-group ### The Patchwork APT group, also known as Dropping Elephant, Chinastrats, Monsoon, Sarit, Quilted Tiger, APT-C-09, and ZINC EMERSON, was first discovered in December 2015. This cyber espionage group targets multiple high- profile Diplomats and economists having foreign relations with China, using a custom set of attack tools. The attacks were generally made through spear phishing campaign or watering hole attacks. This group is suspected to be run by an Indian-speaking threat actor targeting foreign embassies and diplomatic offices in Pakistan, Sri-Lanka, Uruguay, Bangladesh, Taiwan, Australia, and the USA. At the beginning of 2018, researchers discovered that the Patchwork APT group was also operating spear phishing campaigns targeting think tank groups from the US. Recently, in January 2021, the research team at Cyble observed the Patchwork APT cyber espionage group targeting China with a malformed document named “Chinese_Pakistani_fighter_planes_play_war_games.docx”. We suspect ----- ### that the attack is executed in the form of spear phishing emails with malicious attachments. We discovered that the attack used techniques such as exploitation of long-closed vulnerabilities and social engineering campaigns. The image below showcases Chinese and Pakistani fighter war games with a CVE- 2019-0808 exploit code that drops and executes Patchwork APT payloads on victim machines. Technical Analysis: Our analysis is based on a sample that was found in the wild on January 18, 2021 with SHA- 256 7fb7944fb452d8588194ea746910ed782865efb991fa02479e429f8fba677d3b. The ----- ### sample is a malcrafted Microsoft document with an EPS script that exploits the CVE-2019-0808 vulnerability. CVE-2019-0808 is a privilege elevation vulnerability in the Windows Win32k component due to the NULL pointer dereference, which leads to an arbitrary code execution as a SYSTEM user. It allows the attacker to install and run additional payloads on the victim machine with full user rights. This APT group implants an extracted EPS script dropped and executed by the malicious document. The following image shows the content of the EPS file with the icon. The malcrafted EPS scripts drops a Patchwork payload file named “MSBuild.exe” with SHA256- 446e00a53014006804135ef1c31dac6837c0cf635c26426e396b3067764f956d in the path of the infected host as highlighted below. This is a VC+ compiled file with encrypted data, which decrypts and loads the Windows API function dynamically during runtime. File Path- %Users%\%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder Interestingly, the payload file has a hardcoded command and control (C2) server IP, URL and User agent as shown in the image below. ----- ### Upon execution, this file creates a Mutex named “asssszxxzcccjdddddccccdjjjddssdfgredf ” to mark its presence on the victim machine and avoid multiple executions of itself as shown in the process explorer image below. ----- ----- ### The malware payload starts collecting information from the victim system such as computer name, comspec, home directory, logon server, the number of processors, and much more using Windows API such as GetComputerNameA, GetTempPath, and GetConsoleWindow. The image below shows the system information collected during our analysis. ----- ----- ### The following image shows the stack data, which includes collected system information such as a universally unique identifier (UUID), username (#un), computer name (#cn), IP address (#lan), number of processor (#nop) and version (#ver) along with the C2 IP. The Patchwork payload logs keystrokes, screenshots, and running processes with date and time and stores them in a file named TPX498.dat, in a %Temp% folders. The image below depicts the contents of the keylogger data file. The payload file also drops an 9PT568.dat file with ID:e29ac6c0-7037-11de-816d- 806e6f6e69638e6d which might be used for network data encryption. ----- ### Then malware uses the custom encryption logic to encode data and send it to the C2 server over HTTP communication, as depicted in the Wireshark image below. The multiple process threads of MSBuild.exe are responsible for sharing encoded stolen data in a POST request to the server. Each request body of the POST request ends with a unique identification value &crc=e3a6. ----- ### The Patchwork APT campaign has autostart capabilities by adding the payload files in a %Startup folder% of the victim machine so that it can execute on every reboot of the system. The APT group employs the following registry entry for its persistence on the victim machine. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filename.exe Our recommendations are: Refrain from clicking on unverified/unidentified links. Do not open untrusted email attachments. Patch all open vulnerabilities or follow rigid patch management. Keep your Security software updated. The Patchwork APT group has expanded its wings with enhanced malware toolsets and has been targeting China and other regions through spear phishing attacks. In recent attacks, the Patchwork group has been using a payload that is a modified or custom-built RAT instead of using readily available remote admin tools. ----- ### The research team at Cyble is continuously monitoring to harvest the threat indicators/TTPs of emerging APTs in the wild to ensure that targeted organizations are well informed and proactively protected. Indicators of Compromise (IOCs): ----- ## Indicator Description 176.107.181[.]213 C2 server IP by Patch- work APT ## 446e00a53014006804135ef1c31- dac6837c0cf635c26426e396b3067764f956d 79b3453196841d01f953bdf8aa5ed- dd69aa66c92387bcf2584341794ccfd3b89 7fb7944f- b452d8588194ea746910ed782865efb991- fa02479e429f8fba677d3b ## SHA-256 of Patchwork keylogger payload file MSBuild.exe Image1.eps script drop- per component of exploit CVE-2019-0808 Exploit CVE-2019-0808 document. Chinese_Pak- istani_fighter_planes_- play_war_games.docx ## asssszxxzcccjdddddccccdjjjddssdfgredf Mutant object name ### MITRE ATT&CK Framework: ----- ## ID Description Use ## T1548.001 Abuse Eleva- tion Control Mechanism: B ypass User Account Control T1560.006 Command and Scripting Inter- preter: EPS script T1560 Archive Col- lected Data ## Uses CVE-2019-0808, a privi- lege elevation vulnerability in Windows Win32k component Uses the EPS script to deliver payload. Encrypts the collected files path with AES and then encodes them with base64. ----- ## T1119 Automated Collection T1547.001 Boot or Logon Au- tostart Execu- tion: Image File Execution Op- tions Registry Keys / Startup Folder T1566.001 Phishing: Spe arphishing At- tachment ## Develops a file stealer to search the C:\ folder and collect files with certain extensions, ex- ecutes a script to enumerate all drives, store them as a list, and uploads the generated files to the C2 server. It has added the path of its sec- ond-stage malware to the start- up folder to achieve persis- tence. One of its file stealers has also persisted by adding an Image File Execution Options Registry key. Uses spear phishing with an at- tachment to deliver files with ex- ploits to initial victims. ----- ## T1203 Exploitation for Client Execution ## Uses malicious documents to deliver remote execution ex- ploits. The group has used CVE-2019-0808. -----