Threat Research

Dark Web Profile: Patchwork APT – SOCRadar® Cyber Intelligence Inc.

Securonix

Patchwork APT is an India-based cyber espionage group identified in 2015 but active since 2009, targeting government, defense, and diplomatic entities primarily in South and Southeast Asia, with operations expanding to Europe and North America. It relies on spear phishing and watering hole attacks, using a range of custom tools (including BADNEWS RAT and VajraSpy) to conduct espionage. #PatchworkAPT #VajraSpy

Keypoints

  • Patchwork APT is an India-based threat group, active since 2009 and identified in 2015, with aliases including Dropping Elephant and Quilted Tiger.
  • The group targets government, defense, diplomatic entities, and academic institutions across South/Southeast Asia and beyond, with campaigns reaching Europe, North America, and US think tanks.
  • Primary infiltration methods are spear phishing and watering hole attacks, leveraging social engineering and custom malware for espionage.
  • Tools include BADNEWS RAT and VajraSpy (Android RAT); campaigns have used Android apps on Google Play and other platforms, including honey-trap romance schemes and Firebase Hosting for C2.
  • In 2021, Patchwork leveraged CVE-2017-0261 to drop payloads via a malicious Microsoft document, alongside a custom keylogger (SHA-256 hashed).
  • SOCRadar lists extensive IoCs (hostnames, IPs, and hashes) associated with Patchwork APT and its campaigns, spanning multiple regions.

MITRE Techniques

  • [T1566.001] Spearphishing via Email – Used to target specific individuals within organizations of interest; ‘spear phishing campaigns are meticulously crafted to target specific individuals within the organizations of interest, often leveraging social engineering techniques to deceive recipients into opening malicious attachments or clicking on compromised links.’
  • [T1189] Watering Hole – Compromising legitimate websites frequented by targets to deliver malware; ‘Watering hole attacks involve compromising legitimate websites frequented by the group’s targets, aiming to exploit vulnerabilities in their web browsers or other software to deliver malware.’
  • [T1203] Exploitation for Client Execution – Exploits vulnerabilities for remote code execution; ‘a vulnerability enabling remote code execution by improperly handling objects in memory.’
  • [T1056.001] Keylogging – Deployment of a custom keylogger as part of payloads; ‘notably a custom keylogger identified by its unique SHA-256 hash.’
  • [T1071.001] Web Protocols – C2 over the web (Firebase Hosting used for command and control servers); ‘utilized Firebase Hosting for command and control servers.’

Indicators of Compromise

  • [HOSTNAME] IoCs – fich.buzz, deb-cn.net, and 2 more hostnames
  • [IP] IoCs – 160.20.147.67, 66.219.22.252, and 1 more IP
  • [HASH] IoCs – 155d6932de11b6e1201f46c70160f4ca322642eec2f8c928f3cfcd6c7aa1ee2c, ca24347d80aed81df2a0e89075c645bfd6081a8e66103ea680f3a8758999b32b and 2 more hashes

Read more: https://socradar.io/dark-web-profile-patchwork-apt/