The Threat Hunters shed light on the tactics, techniques and procedures adopted by an Indian-born hacking group called Patchwork as part of a renewed campaign that began in late November 2021, targeting Pakistani government entities and individuals focused on research in Molecular Medicine and Biology.
Ironically, all of the information we gathered was made possible by the fact that the threatening actor got infected with his own [remote access trojan], resulting in keystrokes and screenshots of their own computer and virtual machines, ”the Malwarebytes Threat Intelligence team said in a report released Friday.
The main victims who have been successfully infiltrated include Pakistan Ministry of Defense, Islamabad University of National Defense, UVAS Lahore Faculty of Biological Sciences, International Center for Chemical and Biological Sciences (ICCBS) , the HEJ Research Institute in Chemistry and the Salim Habib University (SBU).
Considered active since 2015, Patchwork APT is also followed by the broader cybersecurity community under the nicknames Dropping Elephant, Chinastrats (Kaspersky), Quilted Tiger (CrowdStrike), Monsoon (Forcepoint), Zinc Emerson, TG-4410 (SecureWorks), and APT-C-09 (Qihoo 360).
The spy group, primarily known for hitting diplomatic and government agencies in Pakistan, China, US think tanks, and other targets in the Indian subcontinent via spear-phishing campaigns, is pulling its weight. name because most of the code used for its malware tooling has been copied and pasted from various publicly available sources on the web.
“The code used by this malicious actor is copied and pasted from various online forums, in a way that reminds us of a patchwork quilt,” noted researchers at the late Israeli cybersecurity startup Cymmetria in its findings published in July 2016.
Over the years, successive covert operations organized by the actor have attempted to bring down and execute QuasarRAT as well as an implant named BADNEWS that acts as a backdoor for attackers, giving them full control over the victim machine. . In January 2021, the threat cluster was also observed exploiting a remote code execution vulnerability in Microsoft Office (CVE-2017-0261) to deliver payloads to victimized machines.
The latest campaign is no different as the adversary attracts potential targets with RTF documents masquerading as Pakistani authorities which ultimately serve as the channel for the deployment of a new variant of the BADNEWS Trojan called Ragnatela. – which means “spider web” in Italian – allowing operators to execute arbitrary commands, capture keystrokes and screenshots, list and download files and download additional malware.
The new decoys, which claim to be from the Pakistan Defense Officers Housing Authority (DHA) in Karachi, contain an exploit for Microsoft Equation Editor which is triggered to compromise the victim’s computer and run the Ragnatela payload.
But in a case of OpSec failure, the threatening actor also ended up infecting his own development machine with the RAT, as Malwarebytes was able to unmask a number of his tactics, including using two keyboards ( English and Indian). like adopting virtual machines and VPNs like VPN Secure and CyberGhost to conceal their IP addresses.
“As they continue to use the same decoys and RATs, the group has shown interest in a new type of target,” the researchers concluded. “Indeed, this is the first time that we have observed Patchwork targeting researchers in molecular medicine and the biological sciences.”