Patchwork, so dubbed for its use of copy-and-pasted code from various online sources, is a targeted attack focused on obtaining documents from governments and government-affiliated organizations with dealings in Southeast Asia and the South China Sea. According to researchers from Cymmetria, Patchwork targeted personnel working on military and political assignments worldwide. They suspect that the attackers originate from India.
The attackers were able to infect their victims using targeted spear-phishing emails with malicious PowerPoint file attachments weaponized with the CVE-2014-4114 vulnerability, nicknamed Sandworm. Once opened, these attachments download and run executables that allow for data exfiltration to a control server, as well as establish persistence in the infected machine. Patchwork is estimated to have infected 2,500 machines since its first recognized infection by researchers in December 2015.
It is important to mention that this attack is very simple on the technical side of things – it utilizes a vulnerability that was patched long ago and uses mostly open source code that is widely available online for everyone to grab. And yet, this campaign has managed to infect so many. “This group shows how low the bar has been moved for a successful APT attack to take flight,” said Gadi Evron CEO and founder of Cymmetria to threatpost.com. “We are impressed that these attacks were able to infiltrate high-end organizations given the apparent low technical aptitude of the attackers”.
The vulnerability used in this attack was patched by Microsoft back in 2014, which only highlights the need of preforming regular system updates.
ThreatSTOP customers are protected from Patchwork.