Patchwork | APT Profile

Description

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)

Techniques Used (TTPs)

T1059.005 — Visual Basic (execution)
T1560 — Archive Collected Data (collection)
T1083 — File and Directory Discovery (discovery)
T1553.002 — Code Signing (defense-evasion)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1112 — Modify Registry (defense-evasion, persistence)
T1197 — BITS Jobs (defense-evasion, persistence)
T1027.005 — Indicator Removal from Tools (defense-evasion)
T1555.003 — Credentials from Web Browsers (credential-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1132.001 — Standard Encoding (command-and-control)
T1055.012 — Process Hollowing (defense-evasion, privilege-escalation)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1074.001 — Local Data Staging (collection)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1027.010 — Command Obfuscation (defense-evasion)
T1588.002 — Tool (resource-development)
T1189 — Drive-by Compromise (initial-access)
T1204.001 — Malicious Link (execution)
T1518.001 — Security Software Discovery (discovery)
T1203 — Exploitation for Client Execution (execution)
T1027.002 — Software Packing (defense-evasion)
T1033 — System Owner/User Discovery (discovery)
T1005 — Data from Local System (collection)
T1204.002 — Malicious File (execution)
T1587.002 — Code Signing Certificates (resource-development)
T1070.004 — File Deletion (defense-evasion)
T1119 — Automated Collection (collection)
T1102.001 — Dead Drop Resolver (command-and-control)
T1059.003 — Windows Command Shell (execution)
T1027.001 — Binary Padding (defense-evasion)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1059.001 — PowerShell (execution)
T1598.003 — Spearphishing Link (reconnaissance)
T1105 — Ingress Tool Transfer (command-and-control)
T1566.002 — Spearphishing Link (initial-access)
T1082 — System Information Discovery (discovery)
T1559.002 — Dynamic Data Exchange (execution)

Total TTPs: 40

Malware & Tools

Malware: AutoIt backdoor, BADNEWS, BackConfig, NDiskMonitor, TINYTYPHON, Unknown Logger

Tools: PowerSploit, QuasarRAT

← Return to Home ← Back to APT Search