The group used to focus on diplomatic and government targets, but now attacks companies too A cyberespionage group known for targeting diplomatic and government institutions has branched out into many other industries, including aviation, broadcasting, and finance, researchers warn. Known as Patchwork, or Dropping Elephant, the group stands out not only through its use of simple scripts and ready-made attack tools, but also through its interest in Chinese foreign relations. The group’s activities were documented earlier this month by researchers from Kaspersky Lab, who noted in their analysis that China’s foreign relations efforts appear to represent the main interest of the attackers. In a new report Monday, researchers from Symantec said that the group’s recent attacks have also targeted companies and organizations from a broad range of industries: aviation, broadcasting, energy, financial, non-governmental organizations (NGO), pharmaceutical, public sector, publishing and software. While most of Patchwork’s past victims were based in China and Asia, almost half of the recent targets observed by Symantec were based in the U.S. The group uses a legitimate mailing list provider to send newsletter-like emails to its intended targets. The rogue emails link to websites set up by the attackers with content related to China. Depending on the industry they operate in, victims receive links to websites with content relevant for their business. The rogue websites have links to .pps (PowerPoint) or .doc (Word) files hosted on other domains. If downloaded and opened, these files attempt to exploit known vulnerabilities in Microsoft Office in order to execute rogue code on users’ computers. The Symantec researchers have observed exploits for the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114) and the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641). Since the most recent of those vulnerabilities, CVE-2015-1641, was patched by Microsoft in April 2015, attackers appear confident that their targets have outdated Microsoft Office installations on their computers. Typically, the PowerPoint file will try to exploit CVE-2014-4114, and if successful, will install a backdoor program called Enfourks that functions as an AutoIT executable. AutoIT is a scripting language for automating graphical user interface interactions. The .doc files will try to exploit CVE-2012-0158 or CVE-2015-1641 and will try to install a different backdoor program called Steladok. Both of these programs can search for and steal files or can be used to install additional malware components. Related content news Nvidia teases quantum accelerated supercomputers Nvidia debuts systems powered by Grace Hopper superchips, adds AI and quantum to the HPC mix. By Lynn Greiner May 13, 2024 4 mins CPUs and Processors Supercomputers Data Center news Cisco adds AI features to AppDynamics On-Premises A new virtual appliance for Cisco's AppDynamics observability platform will give enterprise customers more deployment options as well as AI-driven capabilities for anomaly detection and root cause analysis, application security, and SAP monitori By Michael Cooney May 10, 2024 4 mins Network Management Software Network Monitoring news CHIPS Act to fund $285 million for semiconductor digital twins Plans call for building an institute to develop digital twins for semiconductor manufacturing and share resources among chip developers. By Andy Patrizio May 10, 2024 3 mins CPUs and Processors Data Center news Microsoft’s AI ambitions fuel $3.3 billion bet on Wisconsin data center The Mount Pleasant site was initially earmarked for a manufacturing plant operated by electronics giant Foxconn. By Sascha Brodsky May 10, 2024 6 mins Data Center PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe