Malwarebytes Threat Intelligence Team reported that ,”Ironically, all of the information we gathered was made possible by the threat actor infecting themselves with their own [remote access trojan], which resulted in captured keystrokes and screenshots of their own computer and virtual machines.
Pakistan’s Ministry of Defense, National Defence University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, and Salim Habib University are among the major victims (SBU).
Threat hunters have shed light on the tactics, techniques, and procedures used by Patchwork, an Indian-origin hacking group, as part of a renewed campaign that began in late November 2021 and targeted Pakistani government entities and individuals working in molecular medicine and biological science research.
Patchwork APT, which has been active since 2015, is also known as Dropping Elephant, Chinastrats (Kaspersky), Quilted Tiger (CrowdStrike), Monsoon (Forcepoint), Zinc Emerson, TG-4410 (SecureWorks), and APT-C-09 in the cybersecurity world (Qihoo 360).
Over the years, the actor has attempted to drop and execute QuasarRAT as well as an implant known as BADNEWS, which serves as a backdoor for the attackers and gives them complete access over the target PC. In January 2021, the threat organisation was also seen delivering payloads on victim workstations by exploiting a remote code execution vulnerability in Microsoft Office (CVE-2017-0261).
The latest campaign is similar in that the adversary entices potential victims with RTF documents posing as Pakistani authorities, which then serve as a conduit for the distribution of Ragnatela, a new variant of the BADNEWS trojan that allows the operators to run arbitrary commands, capture keystrokes and screenshots, list and upload files, and download additional malware.
Ragnatela RAT was created in late November, as evidenced by the path “E:new opsjlitest __change ops -29no – CopyReleasejlitest.pdb” in its Program Database (PDB). It comes with the following features:
- Executing commands via cmd
- Capturing screenshots
- Logging Keystrokes
- Collecting list of all the files in victim’s machine
- Collecting list of the running applications in the victim’s machine at a specific time periods
- Downing addition payloads
- Uploading files
The new lures, reportedly from the Pakistan Defence Officers Housing Authority (DHA) in Karachi, include a Microsoft Equation Editor exploit that is used to corrupt the victim’s PC and execute the Ragnatela payload.
However, in a case of OpSec failure, the threat actor also infected their own development machine with the RAT, as Malwarebytes was able to unmask a number of its tactics, including the use of dual keyboard layouts (English and Indian), as well as the use of virtual machines and VPNs like VPN Secure and CyberGhost to hide their IP address.
Finally the researchers concluded that,” While they continue to use the same lures and RAT, the group has exhibited interest in a new type of target. This is the first time we’ve seen Patchwork target molecular medicine and biological science researchers.
Indicators of Compromise