APT Targets Energy, Pharma Industries

Thursday, July 28, 2016 @ 04:07 PM gHale


The cyber-espionage group, Dropping Elephant, started targeting private companies in industries ranging from energy to pharmaceuticals from different countries around the world.

The work of the Patchwork APT came to light at the beginning of July, when security firm Cymmetria published a report on the advanced persistent threat (APT) group’s operations.

RELATED STORIES
New Insider Threat Trojan
Trojan Converts PC into Proxy Server
Trojan Reappears after 9 Years
APT Attacker’s Malware of Choice

Cymmetria called the group “the copy-paste APT” because it put together malware using publicly available and low-quality code.

The Cymmetria report, along with one published by Kaspersky Lab, showed the group mainly targeted government organizations in countries surrounding Southeast Asia and the South China Sea territory.

Symantec researchers said they found new evidence showing this two-year-old cyber-espionage group branched out to target privately owned businesses.

Researchers discovered new Patchwork targets that operate in the following industries: Aviation, broadcasting, energy, financial, non-governmental organizations (NGO), pharmaceutical, public sector, publishing, and software.

These companies are not found only in the geographical area previously targeted by Patchwork operations but are also in the UK and the U.S.

The group did not update its tactics, techniques, and procedures and continued to use spear-phishing emails with the same theme that revolved around China’s external political relations.

In the vast majority of cases, these emails included malicious PowerPoint files that attempted to use the CVE-2014-4114 exploit to install malware on the target’s PC, as Cymmetria said.

In the new campaign, Word documents deployed exploits for CVE-2015-1641 and CVE-2012-0158 also ended up used, and in some cases, the spear-phishing emails didn’t come with an attachment but contained links to a website from where the user would download the malicious file themselves.

Symantec said these files tried to install the Enfourks (via PowerPoint files) and Steladok (via Word files) backdoor Trojans, which would collect sensitive information from infected computers and upload it to online servers.