July 7, 2016
Since December 2015, a new cyber-espionage group has been launching attacks aimed at several governments and other related organizations working on military and political assignments linked to issues surrounding Southeast Asia and the South China Sea.
This APT (Advanced Persistent Threat) stands apart from all other recent cyber-espionage groups because it doesn’t seem to be using its own malware, like, for example, the Pacifier APT.
Instead, the group has been copy-pasting malware source code from GitHub and hacking forums to create a “patchwork” of new threats, hence its name of the Patchwork APT.
Security firm Cymmetria says the group has targeted and infected at least 2,500 machines in several countries since December 2015 alone, but there are clues that the group may have been active since 2014.
For their attacks, the group has used spear-phishing emails that contained PowerPoint files as attachments. Most of these emails used subject lines relating to China’s activity in the South China Sea, but sometimes even pornography.
The PowerPoint file contained the Sandworm exploit (CVE-2014-4114) that allowed crooks to infect the underlying operating system with their malware.