Cyberespionage group Patchwork sets its sights on multiple industries

The group used to focus on diplomatic and government targets, but now attacks companies too

A cyberespionage group known for targeting diplomatic and government institutions has branched out into many other industries, including aviation, broadcasting, and finance, researchers warn.

Known as Patchwork, or Dropping Elephant, the group stands out not only through its use of simple scripts and ready-made attack tools, but also through its interest in Chinese foreign relations.

The group's activities were documented earlier this month by researchers from Kaspersky Lab, who noted in their analysis that China's foreign relations efforts appear to represent the main interest of the attackers.

In a new report Monday, researchers from Symantec said that the group's recent attacks have also targeted companies and organizations from a broad range of industries: aviation, broadcasting, energy, financial, non-governmental organizations (NGO), pharmaceutical, public sector, publishing and software.

While most of Patchwork's past victims were based in China and Asia, almost half of the recent targets observed by Symantec were based in the U.S.

The group uses a legitimate mailing list provider to send newsletter-like emails to its intended targets. The rogue emails link to websites set up by the attackers with content related to China. Depending on the industry they operate in, victims receive links to websites with content relevant for their business.

The rogue websites have links to .pps (PowerPoint) or .doc (Word) files hosted on other domains. If downloaded and opened, these files attempt to exploit known vulnerabilities in Microsoft Office in order to execute rogue code on users' computers.

The Symantec researchers have observed exploits for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) and the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641).

Since the most recent of those vulnerabilities, CVE-2015-1641, was patched by Microsoft in April 2015, attackers appear confident that their targets have outdated Microsoft Office installations on their computers.

Typically, the PowerPoint file will try to exploit CVE-2014-4114, and if successful, will install a backdoor program called Enfourks that functions as an AutoIT executable. AutoIT is a scripting language for automating graphical user interface interactions.

The .doc files will try to exploit CVE-2012-0158 or CVE-2015-1641 and will try to install a different backdoor program called Steladok. Both of these programs can search for and steal files or can be used to install additional malware components.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?