Scribd
Upload
68 views

Case Study Patchwork PDF

This document summarizes a targeted attack called "Patchwork" that infected over 2,500 machines using a Powerpoint presentation exploit. It used various tools like AutoIT, PowerSploit, and Meterpreter to gain access and elevate privileges, then exfiltrated documents. A deception campaign was launched to study the attackers, who were discovered accessing shared drives and cloud systems. The attackers' techniques included credential theft, VPN access, and document exfiltration over multiple days and IP addresses.

Uploaded by

hasan al
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
68 views

Case Study Patchwork PDF

This document summarizes a targeted attack called "Patchwork" that infected over 2,500 machines using a Powerpoint presentation exploit. It used various tools like AutoIT, PowerSploit, and Meterpreter to gain access and elevate privileges, then exfiltrated documents. A deception campaign was launched to study the attackers, who were discovered accessing shared drives and cloud systems. The attackers' techniques included credential theft, VPN access, and document exfiltration over multiple days and IP addresses.

Uploaded by

hasan al
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Patchwork

CASE STUDY, COURTESY OF GADI EVRON, CYMMETRIA


Background

• First observed December 2015


• At least 2,500 machines
infected
• Targets: military and political
personnel
― Especially working on issues
related to S.E. Asia and the
South China Sea
• Attack vector: Powerpoint
presentation
• Exploit: Sandworm –CVE-2014-
4114
― Only affects unpatched
Microsoft Office Powerpoint
2003 and 2007

2
First Stage Payload: Compiled Script

• This script was written in AutoIT


• Bypassed UAC using a method called UACME, which had been posted to a
hacker forum:

3
Next Stages

• Now having elevated privileges, it used PowerSploit to download and run


Meterpreter
― Remote Access Trojan component of the MetaSploit penetration testing
framework
• Meterpreter was used to locate and exfiltrate documents in order for the
attacker to gauge the value of the target
― If considered valuable, the attacker then delivered a second payload, also built
from snippets of code taken from various online forums and other resources

4
Next Stages (cont)

5
Deception Campaign

• Goal: discover as much as possible about the threat actor, especially tools,
techniques and procedures
― Allowing subsequent detection elsewhere
― Prevent future attacks against Cymmetria’s customer
• Honeynet environment
― Breadcrumbs: snippets of data which lead the attacker to a new machine:
 Credentials, browser cookies, network shares, VPN connections, etc.
― Decoys: full operating systems running in VM’s; represent high-value targets for
the attacker
• The lure: a fake profile for a person in whom the attacker was interested

6
The Deception Campaign

7
The Chain of Events

1. The Powerpoint PPS was opened on a target laptop and dropped the initial
payload components
2. The Meterpreter reverse shell was pulled from the C2 server
3. Files from the target laptop were exfiltrated to the C2 server along with
some encrypted traffic
4. The attacker decided to drop the second stage malware; this scanned the
hard drive
5. It copied itself as C:\Windows\SysWoW64\netvmon.exe and added this to
the startup programs
6. Three days later, alerts were received on the decoy running an SMB share
7. The malware accessed the shared drive and scanned it for files
8. Someone attempted to connect to a cloud decoy using RDP
9. They failed to log in (could have done it using Mimikatz)
10. The IP address suggests the same attacker

8
Honeynet Map

9
PPS Files on the C2 Server

10
Secondary Infection Stages

11
Attribution

12
Mapped to the Working Day
DARKER GREY INDICATES MORE EDITS

13
Lessons

• Reconnaisance: collection of identity information of military and political


workers with specific interests
• Weaponization: infected Powerpoint presentation
― Lots of military/government briefing packages are delivered by Powerpoint
• Delivery: spear-phishing campaign, reusing documents exfiltrated previously
• Exploit: A chain: Sandworm, privilege escalation, then Meterpreter pulled
from C2
• Action on objectives: exfiltration of documents
Also: PATCH!
• Exploit 2: 7zip.exe -> netvmon.exe
• Installation: Added to startup programs
• Action on objectives: exfiltration
• C2: Various reused IP addresses
• Full report available at https://cymmetria.com/research/patchwork-targeted-
attack/

14

You might also like