The Patchwork attack group has been targeting more than just government-associated organizations. Our research into the group found that it’s been attacking a broad range of industries—including aviation, broadcasting, and finance—to drop back door Trojans.
Symantec Security Response has been actively monitoring Patchwork, also known as Dropping Elephant, which uses Chinese-themed content as bait to compromise its targets’ networks. Two security companies, Cymmetria and Kaspersky, each recently released reports on the campaign, most of which are in line with our observations.
As other researchers observed, Patchwork originally targeted governments and government-related organizations. However, the group has since expanded its focus to include a broader range of industries.
While most of the interest still lies in the public sector, more recent attacks were found targeting the following industries:
- Non-governmental organizations (NGO)
- Public sector
According to Symantec telemetry, targeted organizations are located in dispersed regions. Although approximately half of the attacks focus on the US, other targeted regions include China, Japan, Southeast Asia, and the United Kingdom.
Our first observation of an attempted attack related to this campaign dates back to November 2015, although Symantec telemetry data indicates that the campaign may have already existed in early 2015 or perhaps even earlier.
The threat actor mainly relies on a legitimate mailing list provider to send newsletters to a select number of targets. The newsletter includes a link to the attacker’s website, which has content focusing on topics related to China to draw the target’s interest. These websites are hosted on the same domains as the mailing list provider. Each website is customized for the intended target, and contains specialized topics related to the targeted industries.
Figure 1. A customized website with content related to a Chinese public hospital
Figure 2. A customized website with content related to the Chinese military
The malicious sites link to files hosted on different domains, which appear to be solely used for malicious purposes. The domains are registered under names that pose as legitimate sources for Chinese intelligence. Several domains predominantly used in the attacks are hosted on two servers with the IP addresses 22.214.171.124 and 126.96.36.199.
These websites host two different types of malicious files: a PowerPoint file (.pps) and a rich text file with a Word .doc extension.
The PowerPoint files appear to exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), which was used in the Sandworm attacks against American and European targets in October 2014. The rich text files typically attempt to exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641), which was patched in April 2015. We have also confirmed an older flaw being exploited, the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158).
From what we can confirm, the documents contain copies of publicly available content taken from legitimate websites. Topics range from military/defense, hospital, naval disputes, and even malware removal.
Malicious PowerPoint files
The .pps files likely exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114). However, the exploit for this particular campaign is a slight variation of similar exploits observed in the past. The exploit takes advantage of how the patch is designed to only warn users, rather than completely prevent malware infections without user interaction.
Nothing happens when the file is opened on PowerPoint 2016. However, when the file is opened on older versions of PowerPoint, it displays a security warning asking whether the user wants to open driver.inf depending on the environment, such as the version of the operating system and the patch applied.
Figure 3. Opening the .pps file on PowerPoint versions earlier than 2016 displays this prompt
If the user chooses to open the file, the computer will be compromised. If the user chooses not to open it, the computer will not be infected. However, Backdoor.Enfourks will be dropped, though not executed, into the temporary directory when the .pps file is opened. This poses a risk of compromise to the intended target.
We have confirmed this issue on all versions of PowerPoint tested in the lab. Users should manually remove any potential dropped files which would typically be named “sysvolinfo.exe”.
Malicious Word .doc file
Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok.
Both the .doc and .pps files mainly drop two malware families. Typically, the PowerPoint Slide file drops Backdoor.Enfourks, an AutoIT executable which is usually bloated with meaningless data and targets mainly 32-bit systems. The .doc file drops Backdoor.Steladok.
While both back door Trojans wait for commands from the threat actor, they can search for files and upload them to the specified server once activated. For unknown reasons, both threats use Baidu, the Chinese software vendor, in their routines. The Trojans confirm an internet connection by pinging Baidu’s server and create a registry entry with the vendor’s name to run every time Windows starts. As two file types are used to deliver two different payloads, there are likely multiple individuals or groups contributing to the malware development efforts.
Users should adhere to the following advice to prevent Patchwork’s attacks from succeeding:
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments. Spear-phishing emails are frequently used by cyberespionage attackers as a means of luring victims into opening malicious files.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities which are frequently exploited by attackers.
- Keep your security software up to date to protect yourself against any new variants of this malware.
Symantec and Norton products detect Patchwork’s malware as follows:
Intrusion prevention system:
Indicators of compromise
The following details suspicious domains, IP addresses, and files, which may indicate that Patchwork has compromised a computer:
Suspected domains and IP addresses:
Table 1. Malicious PowerPoint slides associated with this campaign
Table 2. Malicious rich text files associated with this campaign
Table 3. Payloads associated with this campaign