The cyber-espionage group, Dropping Elephant, started targeting private companies in industries ranging from energy to pharmaceuticals from different countries around the world.
The work of the Patchwork APT came to light at the beginning of July, when security firm Cymmetria published a report on the advanced persistent threat (APT) group’s operations.
Cymmetria called the group “the copy-paste APT” because it put together malware using publicly available and low-quality code.
Symantec researchers said they found new evidence showing this two-year-old cyber-espionage group branched out to target privately owned businesses.
Researchers discovered new Patchwork targets that operate in the following industries: Aviation, broadcasting, energy, financial, non-governmental organizations (NGO), pharmaceutical, public sector, publishing, and software.
These companies are not found only in the geographical area previously targeted by Patchwork operations but are also in the UK and the U.S.
The group did not update its tactics, techniques, and procedures and continued to use spear-phishing emails with the same theme that revolved around China’s external political relations.
In the vast majority of cases, these emails included malicious PowerPoint files that attempted to use the CVE-2014-4114 exploit to install malware on the target’s PC, as Cymmetria said.
In the new campaign, Word documents deployed exploits for CVE-2015-1641 and CVE-2012-0158 also ended up used, and in some cases, the spear-phishing emails didn’t come with an attachment but contained links to a website from where the user would download the malicious file themselves.
Symantec said these files tried to install the Enfourks (via PowerPoint files) and Steladok (via Word files) backdoor Trojans, which would collect sensitive information from infected computers and upload it to online servers.