China-themed cyber espionage group Patchwork expands to UK targets

According to a new report from Symantec, the China-themed cyber espionage group Patchwork has broadened its range of targets to include UK-based companies.

In the report, the firm describes how the group, which has gained the nickname Dropping Elephant, uses Chinese-themed content in order to draw victims to unsecure websites with the intent of installing malware onto their devices.

Patchwork originally focused on government organisations and their employees. However, now it has widened its scope and has set its sights on finance, energy, aviation NGOs and other high-end sectors.

In a blog post on its site, Symantec has laid out just how the group has expanded its operations, saying: “Patchwork originally targeted governments and government-related organisations. However, the group has since expanded its focus to include a broader range of industries.”

“According to Symantec telemetry, targeted organisations are located in dispersed regions. Although approximately half of the attacks focus on the US, other targeted regions include China, Japan, South East Asia and the UK.”

Patchwork utilises emails that are sent out via newsletter mailing lists to cosy up to targets it wants to infiltrate. By sending out news stories and announcements that are relevant to recipients, the group tempts them to visit websites hosting malicious content.

On the sites, potential victims are tricked once again into downloading files that generally appear in the form of a Word or PowerPoint document. These files contain trojans that are then used to access the data stored on a user's device.

Symantec also offered insight into how the Patchwork's trojans operate, saying: “While back door trojans wait for commands form the threat actor, they can search for files and uplaod them to the specified server once activated.

"For unknown reasons, both threats use Baidu, the Chinese software vendor, in their routines. The trojans confirm an internet connection by pinging Baidu's server, and create a registry entry with the vendor's name to run every time Windows starts.”

Image Credit: David Carillet / Shutterstock