Indian-linked Patchwork APT infected its own system revealing its ops

The India-linked threat actor Patchwork infected one of their own computers with its RAT revealing its operations to researchers.

An India-linked threat actor, tracked as Patchwork (aka Dropping Elephant), employed a new variant of the BADNEWS backdoor, dubbed Ragnatela (“spider web” in Italian), in a recent campaign. However, the group made the headlines after infecting its infrastructure with a RAT allowing researchers to analyze its operations.

The APT group has been active since at least 2015, previous operations targeted military and political individuals across the world, it shows a specific interest in organizations in Pakistan.

At the end of 2021, Malwarebytes researchers observed the APT group targeting faculty members whose research focus is on molecular medicine and biological science.

In a recent campaign, the Patchwork group carried out a spear-phishing campaign using weaponized RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT). The malicious RTF files impersonating Pakistani authorities and exploit a vulnerability in Microsoft Equation Editor to deliver and execute the final payload (RAT). Malwarebytes researchers reported that that payload is stored within the RTF document as an OLE object.

The Ragnatela RAT was developed in late November as seen in its Program Database (PDB) path “E:\new_ops\jlitest __change_ops -29no – Copy\Release\jlitest.pdb” and was employed in cyberespionage campaigns.

The Ragnatela RAT allows threat actors to carry out malicious actions such as:

• Executing commands via cmd
• Capturing screenshots
• Logging Keystrokes
• Collecting list of all the files in victim’s machine
• Collecting list of the running applications in the victim’s machine at a specific time periods
• Downing addition payloads
• Uploading files

The list of victims of this campaign includes the Ministry of Defense- Government of Pakistan, the National Defense University of Islam Abad, the Faculty of Bio-Science, UVAS University (Lahore, Pakistan), the International center for chemical and biological sciences, the HEJ Research institute of chemistry, International center for chemical and biological sciences, the univeristy of Karachi SHU University, Molecular medicine.

“Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).” reads the report published by Malwarebytes.

“Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs, is not as sophisticated as their Russian and North Korean counterparts.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Patchwork)

[adrotate banner=”5″]

[adrotate banner=”13″]