cyber_threat_intelligence/Patchwork

Patchwork - Cyber Threat Intelligence

The indicators are related to VulDB CTI analysis of the actor known as Patchwork. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, activities, intentions, emerging research, and attacks. Our unique predictive model is able to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.patchwork

Campaigns

The following campaigns are known and can be associated with Patchwork:

• Badnews
• Dropping Elephant

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with Patchwork:

• US
• CN

IOC - Indicator of Compromise

These indicators of compromise indicate associated network ressources which are known to be part of research and attack activities of Patchwork.

ID	IP address	Hostname	Confidence
1	5.8.88.64	-	High
2	5.34.242.129	-	High
3	5.39.11.72	vm482.sakuraserver.co	High
4	5.39.36.56	-	High
5	5.39.36.57	-	High
6	5.39.36.58	-	High
7	5.39.36.59	-	High
8	5.39.36.60	-	High
9	5.39.36.61	-	High
10	5.39.97.57	-	High
11	5.39.97.58	-	High
12	5.101.140.220	prodsrv1.a7holding.com	High
13	5.254.98.68	-	High
14	8.22.200.44	server36.hostcats.com	High
15	8.23.224.90	-	High
16	10.30.4.112	-	High
17	23.106.123.87	-	High
18	31.3.154.110	vps3.geozinho.com.br	High
19	31.3.154.111	vps4.geozinho.com.br	High
20	31.3.154.113	swe-net-ip.as51430.net	High
21	31.3.154.114	swe-net-ip.as51430.net	High
22	31.3.154.115	swe-net-ip.as51430.net	High
23	31.3.154.116	swe-net-ip.as51430.net	High
24	31.3.154.117	swe-net-ip.as51430.net	High
25	31.3.155.106	swe-net-ip.as51430.net	High
26	31.170.161.56	-	High
27	31.170.161.136	cpl02.main-hosting.eu	High
28	31.170.162.23	cpl04.main-hosting.eu	High
29	31.214.169.86	-	High
30	31.214.169.87	-	High
31	37.46.127.75	nerops15.roupasnews4.com.br	High
32	37.46.127.76	nerops16.roupasnews4.com.br	High
33	37.46.127.77	watch-man6.topchairlifts.com	High
34	37.46.127.78	watch-man7.topchairlifts.com	High
35	37.46.127.79	watch-man8.topchairlifts.com	High
36	37.46.127.81	watch-man10.topchairlifts.com	High
37	37.48.77.214	nl.redseedbox.com	High
38	37.48.77.215	-	High
39	37.58.60.195	-	High
40	37.59.175.130	ip130.ip-37-59-175.eu	High
41	37.59.208.94	-	High
42	37.59.231.161	-	High
43	37.221.166.7	-	High
44	37.221.166.8	-	High
45	37.221.166.9	-	High
46	37.221.166.15	-	High
47	37.221.166.36	-	High
48	37.221.166.42	-	High
49	37.221.166.47	-	High
50	37.221.166.48	-	High
51	37.221.166.49	-	High
52	37.221.166.53	-	High
53	37.221.166.55	-	High
54	37.221.166.58	-	High
55	37.221.166.61	-	High
56	43.249.37.173	-	High
57	43.249.37.199	-	High
58	45.43.192.172	-	High
59	46.4.187.60	static.60.187.4.46.clients.your-server.de	High
60	46.4.215.38	mx01.wugrafixcloud.net	High
61	46.165.225.66	-	High
62	46.165.229.7	-	High
63	46.165.229.8	-	High
64	46.165.229.9	smtp1.lnkyfi.com	High
65	46.165.248.236	-	High
66	46.165.248.237	-	High
67	46.165.248.238	-	High
68	46.165.248.239	-	High
69	46.165.248.240	-	High
70	...	...	...

There are 274 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures summarize the suspected ATT&CK techniques used by Patchwork. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Description	Confidence
1	T1552	Unprotected Storage of Credentials	High

IOA - Indicator of Attack

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by Patchwork. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	/apply_noauth.cgi	High
2	File	admin/admin_admin.php?nav=list_admin_user&admin_p_nav=user	High
3	File	data/gbconfiguration.dat	High
4	...	...	...

There are 13 more IOA items available. Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

• https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
• https://github.com/faisalusuf/ThreatIntelligence/blob/main/Patchwork/Tracking-Patchwork-IOCs.csv
• https://securelist.com/the-dropping-elephant-actor/75328/
• https://unit42.paloaltonetworks.com/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
• https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
• https://vxug.fakedoma.in/archive/APTs/2021/2021.01.20(1)/Patchwork.pdf
• https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
• https://www.threatminer.org/report.php?q=appendix-untangling-the-patchwork-cyberespionage-group_2_Trend-Micro.pdf&y=2017
• https://www.threatminer.org/report.php?q=Patchworkcyberespionagegroupexpandstargetsfromgovernmentstowiderangeofindustries-SymantecOfficialBlog.pdf&y=2016
• https://www.threatminer.org/report.php?q=tech-brief-untangling-the-patchwork-cyberespionage-group_1_Trend-Micro.pdf&y=2017
• https://www.threatminer.org/report.php?q=Unveiling-Patchwork.pdf&y=2015
• https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

Literature

The following articles explain our unique predictive cyber threat intelligence:

• VulDB Cyber Threat Intelligence Documentation
• Cyber Threat Intelligence - Early Anticipation of Attacks

License

(c) 1997-2022 by vuldb.com. All data on this page is shared under the license CC BY-NC-SA 4.0. Questions? Check the FAQ, read the documentation or contact us!