Register now for better personalized quote!

Indian Patchwork hacking group infects itself with remote access Trojan

Jan, 10, 2022 Hi-network.com

An Indian threat group's inner workings have been exposed after it accidentally infected its own development environment with a remote access Trojan (RAT).

Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

Dubbed Patchwork by Malwarebytes and tracked under names including Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, the Indian group has been on the scene since at least 2015 and is actively launching campaigns designed to deploy RATs for the purposes of data theft and other malicious activities. 

In one of the latest attack waves connected to Patchwork, the group targeted individual faculty members from research institutions specializing in biomedical and molecular sciences.

On January 7, the Malwarebytes team said it was able to delve into the advanced persistent threat (APT) group's activities after Patchwork managed to infect its own systems with its own RAT creation, "resulting in captured keystrokes and screenshots of their own computer and virtual machines."

According to the cybersecurity researchers, Patchwork typically relies on spear-phishing attacks, with tailored emails sent to specific targets. These emails aim to drop RTF files containing the BADNEWS RAT, of which a new variant has now been found. 

The latest version of this malware, dubbed Ragnatela, was compiled in November 2021. The Trojan is capable of capturing screenshots, keylogging, listing OS processes and machine files, uploading malware, and executing additional payloads.  

After examining Patchwork's systems, the team ascertained that Ragnatela is stored in malicious RTF files as OLE objects, often crafted to be official communication from Pakistani authorities. An exploit for a known Microsoft Equation Editor vulnerability is used to execute the RAT. 

Based on the attacker's control panels, Malwarebytes was able to name the Pakistani government's Ministry of Defense, the National Defense University of Islamabad, the Faculty of Bio-Sciences (FBS) at UVAS University, the HEJ Research Institute at the University of Karachi, and the molecular medicine department at SHU University as organizations infiltrated by Patchwork. 

Patchwork managed to infect its own development machine with Ragnatela, and so the researchers were also able to see them make use of VirtualBox and VMware virtual machines (VMs) to conduct malware testing. 

"Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven't updated their Java yet," Malwarebytes said. "On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address."

This is the first time the group has been connected to attacks against the biomedical research community, which may suggest a pivot in Patchwork's priority targets. 

Previous and related coverage

  • Chinese APT LuminousMoth abuses Zoom brand to target gov't agencies.
  • New advanced hacking group targets governments, engineers worldwide.
  • Transparent Tribe APT targets government, military by infecting USB devices.

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.