The ultimate copy paste slacker hacker group has busted security controls in some 2500 corporates and government agencies using nothing but stolen code.
The targets focus on those affiliated with military and political assignments around Southeast Asia and the contentious South China Sea, and may have been compromised in a little over six months.
The group dubbed Patchwork for its use of multiple proof-of-concept and tools is detailed by researchers with Israeli deceptive infosec firm Cymmetria in joint work with Brandon Levene of Palo Alto Networks, researchers with Kaspersky, and anonymous security types.
Cymmetria co-founder Dean Sysman says the campaign to catch the group was complex.
“The most interesting challenge was catching the second stage malware which the attacker only deploys once they feel they require persistence and their risk of capture is low,” Sysman says.
Research boffins obtained access to the group's command-and-control servers finding spear phishing files and malware. The phishing documents related to Chinese military and political topics.
Patchwork attackers ripped code and tools from GitHub and across the Dark Web to build an arsenal shirking the option to build their own tailored kit, a feat common with advanced network exploitation groups.
Ripped weapons used in one attack included an exploit for the Sandworm vulnerability (CVE-2014-4114), a compiled AutoIt script, and UAC bypass code dubbed UACME.
That attack continued with PowerSploit, Meterpreter, and a second-stage malware payload taken from the efforts of others.
Cymmetria researchers say the use of borrowed code is contradictory; it helps reduce loss of investment if unique tools are detected in the initial intrusion, but risks blowing cover during secondary attacks.
"The high degree of operational capacity stands in stark contradiction to the low technical ability displayed which raises the question of whether the copy-paste nature of the threat was potentially intentional … [but] this seems unlikely as the use of such second-hand code is consistent with their second stage toolset meant for persistence, which should typically be built to resist detection."
The use of copied code should make such attacks noisy, and to that end it is surprising that the attack campaign was not detected more quickly.
"It is surprising that it has remained undetected since its operations began in December, as it seems to have been built out of a confluence of code taken from various public and hidden criminal forums, as well as various open source projects," researchers say. ®