The cyber espionage group known as Patchwork has expanded its focus areas to new industries and nations, including the UK, according to research by Symantec.
A report by the security firm said that it has seen the group, also sometimes colourfully dubbed Dropping Elephant, using Chinese-themed content to lure victims to infected websites in the hope of installing malware on their devices.
The group has now widened its attack surface, and is now looking at high-end sectors such as finance, energy, aviation and NGOs rather than focusing solely on government organisations and employees.
“Patchwork originally targeted governments and government-related organisations. However, the group has since expanded its focus to include a broader range of industries,” the report said.
“According to Symantec telemetry, targeted organisations are located in dispersed regions. Although approximately half of the attacks focus on the US, other targeted regions include China, Japan, South East Asia and the UK."
The group uses emails sent via newsletter mailing lists to target those they wish to infiltrate, using relevant sounding stories and announcements to tempt those receiving the emails to visit the malicious websites, as shown above.
Once there, the victims are encouraged to download files, usually masquerading as Word or PowerPoint documents, which contain trojans that can access information stored on the machines.
“While back door trojans wait for commands from the threat actor, they can search for files and upload them to the specified server once activated. For unknown reasons, both threats use Baidu, the Chinese software vendor, in their routines,” Symantec said.
“The trojans confirm an internet connection by pinging Baidu’s server, and create a registry entry with the vendor’s name to run every time Windows starts.”
Symantec advised organisations to see that staff are aware of the threat from phishing emails, and to keep software and systems up to date with the latest security patches.
The warning is just the latest in a long line of threats aimed at businesses. One new concern relates to crooks befriending people via LinkedIn to understand company structures and then send legitimate looking phishing emails.
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Successful attack could result in harm to patients and financial loss, warns NHS governing body