Security Inc. company Volexity pointed out in recent days that its security team discovered spear-phishing attacks in March and April of this year. These activities were all considered to have been initiated by the APT hacker group “Patchwork” in India. Organizations are also often referred to as “Dropping Elephant.”
Volexity said that the increase in such threat activity is consistent with other observations that 360 threat intelligence centres have recorded on blogs in the past few months. However, it is worth noting that from the perspective of the attacks observed by the Volexity security team, Patchwork has turned its target to the United States, especially for the United States-based think tank.
Volexity also found that, in addition to sending decoy files for the spread of malware, Patchwork now uses unique tracking links in its email to identify who has opened their email.
Among the three attacks observed, Patchwork used a domain name and theme that imitated a famous American think tank. The organisation draws articles from the Council on Foreign Relations (CFR), the Center for Strategic and International Studies (CSIS) and the Mercator Institute for China Studies (MERICS). Topics to use for their phishing emails and malicious Rich Text Format (RTF) files.
Strangely, in one case, Patchwork also seems to use a domain name similar to the Foreign Policy Research Institute (FPRI), which claims to be from CFR. Each email contains links to .doc files, which are actually RTF documents that attempt to exploit the Office Remote Code Execution Vulnerability CVE-2017-8750.
After opening the attachment, the recipient will receive a file that is a direct copy of a blog post or report published by a different think tank. At first glance, everything seems to be legal, but in the background, the target user may have just infected QuasarRAT.
The payload used by Patchwork is an open source tool that is easily accessible in these activities, it is very effective, allowing Patchwork to interact with infected hosts without using any custom malware.