Dropping Elephant  (Back to overview)

aka: Chinastrats, Patchwork, Monsoon, Sarit, Quilted Tiger

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.


Associated Families
apk.androrat apk.bahamut win.badnews win.quasar_rat win.tinytyphon win.unidentified_047 win.unidentified_055 win.wscspl

References
1 http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1
1 http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2
1 http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments
http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries
2 https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/
https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign
1 https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf
1 https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite
1 https://github.com/DesignativeDave/androrat
1 https://github.com/quasar/QuasarRAT/tree/master/Client
1 https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html
1 https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
1 https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
1 https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://securelist.com/blog/research/75328/the-dropping-elephant-actor/
1 https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
1 https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english
1 https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/
1 https://twitter.com/malwrhunterteam/status/789153556255342596
1 https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/
1 https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/
https://www.cymmetria.com/patchwork-targeted-attack/
1 https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html
2 https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
1 https://www.freebuf.com/articles/database/192726.html
1 https://www.kaspersky.com/blog/mobile-malware-part-4/24290/
1 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
1 https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
2 https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
1 https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/

Credits: MISP Project