Analysis Summary

Patchwork is an Advanced Persistent Threat APT group active since at least 2014. Patchwork primarily targets government, defense, and diplomatic organizations, as well as academic institutions, in South and Southeast Asia, including Pakistan, and Bangladesh. However, the group has also been known to target organizations in other regions, including Europe and North America.

The group is believed to be of Indian origin and has been linked to several cyber espionage campaigns. Patchwork has used various tactics, techniques, and procedures TTPs in its attacks. Once inside the networks, the group attempts to maintain persistence by regularly establishing new accounts, installing backdoors and other malicious tools, and performing malicious activities. Additionally, Patchwork has been known to employ social engineering techniques to track down and exfiltrate data from compromised systems. The group has also been known to use various evasion techniques to avoid detection by security solutions. In some cases, the group has remained undetected for extended periods.

An interesting development in Patchwork's timeline is its engagement in spearphishing operations targeting U.S. think tank groups during March and April of 2018. This campaign showcases Patchwork's interest in manipulating policy and international affairs information. The group's strategy involves crafting tailored emails with malicious attachments or links, capitalizing on unsuspecting victims' curiosity or trust.

Patchwork is a sophisticated and persistent threat actor that poses a significant risk to targeted organizations. Organizations need robust security measures to protect against these types of attacks, including regular software updates and employee awareness training.

Impact

• Information Theft
• Unauthorized Remote Access

Indicators of Compromise

Domain Name

• parkways.info
• xiamo.dasiqueiros.info
• sensors.opensecurity-legacy.com
• static.opensecurity-legacy.com
• winfileshare.com
• nodejsupdates.com
• l0p1.shop
• firebaseupdater.com
• onlinecsstutorials.com

IP

• 89.147.109.143
• 93.95.230.16

MD5

• 619b1a2b8f9df8d5c806d8549db19d91
• e8a9b75c5e41f6d4af9f32c11d0057cb
• 0ec179caf5c7f0bc1ed1545585245a3e
• bfe32a0314139bb88672c838238c7574
• 3f8ee7eda499ad12f9072b8c9035acda
• 55dba6e7aa4e8cc73415f4e3f9f6bdae
• 5631d3a0074b6c93d537ca6974e518cd
• fd49a7937e010acb2c6ed20c22f493f2
• 78253b8c16f81768b747c6830ebd455a
• 659ca98c3e767f17b561250f464861d1
• 8c7c3119bde94d4f09b84ea0934f56b5
• 8d60920b9d287feb84638abd7ae7db71

SHA-256

• 4c41aef07e4a408004960cfea23e91127931de906164cb2bd1997bc511939d0e
• e5b332d6f860d00d5d2d94cb6d9e07b0c9ba3f204bdcc77a7765272cf8d9feae
• e6071ae0da3289eb87edf67b2b198b0a3f0cf9da8eb35a8a2b5aa8989b6c0ef5
• 1753abbd3a79ff9db264b3e05bbbd2fa6f0b983de1a66c341a8a4cc71b4d6429
• bf9445ded122ee5853bb45d69b390ed5a0b36baa0c48adc7a8fa65e526116720
• 3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
• 79a68cdabfed0db4f35af981d8d44889d3124100bffcb1a7fb6473da67804394
• 6d6dc50e8e73053763f9b85b7c1f1b532ec3023b5b89b3546f0330b4956e75a9
• c6398b5ca98e0da75c7d1ec937507640037ce3f3c66e074c50a680395ecf5eae
• 83e4962419f2d4e99c5aa02ed6a077c9fc19e15d6427c79c6cdef2df4530fb53
• e731a6bb98b0e5b8eaef933126862b1581ad67d3affc35ec89f23a45a7818308
• 2fc76a42fb7af2fbe480c0cf3d63e2eaf8d2b904a38b962261887f163ad6b4a2

SHA-1

• 2d54569082f3c2703b138cc64099ab164d301630
• a82bc1ecbf66e458f838f2c4eb96ce641e91d960
• 6d92497bbcd3b96a7a9094a8c291d7400fe28029
• 8aa820642df2639419643df5db38599c55641bb8
• 7b1c1a17156709e9ae26d14f8797d3da51a34d0e
• 87c9f29d58f57a5e025061d389be2655ee879d5d
• b3141c9824cda0b4bd88af8dcc37389353b98817
• 27f61fdf3989a8f3b67307af8bf669577edbe694
• 00faa7a56f512ff8bfad1b5fafa74ee02c771b58
• f5dd4273afdd353b1f3f0b09ce6f901a0bb3d6cd
• d3e1adc42f4f4f628f10b9131bf44c4356cd1808
• 97856c3e5cd595cbc6a67dcdd6e6f142a35565ef

URL

• http://nodejsupdates.com/ticket_line/afa.php
• http://nodejsupdates.com/ticket_line/certificate.php
• http://nodejsupdates.com/ticket_line/llb.php
• http://nodejsupdates.com/ticket_line/lockdown.php

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.