Patchwork & The Dropping Elephant APT

Good work from Gadi and the team at Cymmetria & Kaspersky -  Cymmetria report is here , Kaspersky here 

What struck me as odd and reminded me of some of the work i looked at in May was this line in the Kaspersky analysis:

it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands.
— https://securelist.com/blog/research/75328/the-dropping-elephant-actor/

This particular comment struck me because in early may i was analysing some malicious .pps documents i had received and identified a number of CVE's being used in them, they contained material related to the Government projects and political interests in SE Asia.

Example metadata from .pps leveraging CVE's

I was struggling to identify what type of campaign this was, when i identified some of the C2 commands were being stored in blog comments on legitimate web sites although they were completely unrelated to any political activity.



There is a lot of security research available in the political unrest of SE Asia, South China Sea. A lot of the content available to research has been laid by FireEye  the ongoing territorial disputes are being fought with a very competitive cyber theme.