Not only users but cybercriminals also become victims of their mistakes sometimes. An India-based threat actor group dubbed Patchwork, which targeted users and government organizations in Pakistan, inadvertently exposed its hacking strategies online. Active since 2015, Patchwork affected various entities in Pakistan via spearphishing attacks. According to a report from Malwarebytes, the attackers exposed all the information they gathered, including their malware details, captured keystrokes, and screenshots of their systems.
Hackers Spreading Ragnatela via BADNEWS
The researchers stated that Patchwork leveraged malicious RTF files to drop a new variant of the BADNEWS Trojan dubbed Ragnatela in its recent campaign from late November to early December 2021. The group used spear phishing emails to distribute the Ragnatela RAT across the targeted network systems.
Ragnatela capabilities include:
- Executing commands via cmd
- Capturing screenshots
- Logging Keystrokes
- Collecting list of all the files in victim’s machine
- Collecting a list of the running applications in the victim’s machine at specific periods
- Downing addition payloads
- Uploading files
Also Read: Pakistani APT Group ‘SideCopy’ Targets Officials in India and Afghanistan
Patchwork operators tricked victims with fake documents impersonating Pakistani authorities. The group used virtual machines and VPNs to develop and push updates to track their victims.
The victims of Ragnatela Trojan include:
- Ministry of Defense- Government of Pakistan
- National Defense University of Islam Abad
- Faculty of Bio-Science, UVAS University, Lahore, Pakistan
- International center for chemical and biological sciences
- HEJ Research Institute of Chemistry, International center for chemical and biological sciences, University of Karachi
- SHU University, Molecular medicine
Indicators of Compromise (IoC)
Lure
- karachidha[.]org/docs/EOIForm.rtf
5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6
RAT
- dll
3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3
C2
- bgre[.]kozow[.]com
“While Patchwork uses the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers. Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding of who sits behind the keyboard,” the researchers said.