Home News BADNEWS for Hackers! Patchwork Group Expose Themselves in Malware Campaign

BADNEWS for Hackers! Patchwork Group Expose Themselves in Malware Campaign

India-based threat actor group Patchwork targets users and government organizations in Pakistan with a new variant of BADNEWS RAT dubbed Ragnatela.

Patchwork BADNEWS, APT31 threat group

Not only users but cybercriminals also become victims of their mistakes sometimes. An India-based threat actor group dubbed Patchwork, which targeted users and government organizations in Pakistan, inadvertently exposed its hacking strategies online. Active since 2015, Patchwork affected various entities in Pakistan via spearphishing attacks. According to a report from Malwarebytes, the attackers exposed all the information they gathered, including their malware details, captured keystrokes, and screenshots of their systems.

Hackers Spreading Ragnatela via BADNEWS

The researchers stated that Patchwork leveraged malicious RTF files to drop a new variant of the BADNEWS Trojan dubbed Ragnatela in its recent campaign from late November to early December 2021. The group used spear phishing emails to distribute the Ragnatela RAT across the targeted network systems.

Ragnatela capabilities include:

  • Executing commands via cmd
  • Capturing screenshots
  • Logging Keystrokes
  • Collecting list of all the files in victim’s machine
  • Collecting a list of the running applications in the victim’s machine at specific periods
  • Downing addition payloads
  • Uploading files

Also Read: Pakistani APT Group ‘SideCopy’ Targets Officials in India and Afghanistan

Patchwork operators tricked victims with fake documents impersonating Pakistani authorities. The group used virtual machines and VPNs to develop and push updates to track their victims.

The victims of Ragnatela Trojan include:

  • Ministry of Defense- Government of Pakistan
  • National Defense University of Islam Abad
  • Faculty of Bio-Science, UVAS University, Lahore, Pakistan
  • International center for chemical and biological sciences
  • HEJ Research Institute of Chemistry, International center for chemical and biological sciences, University of Karachi
  • SHU University, Molecular medicine

Indicators of Compromise (IoC)

Lure

  • karachidha[.]org/docs/EOIForm.rtf
    5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6

RAT

  • dll
    3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3

C2

  • bgre[.]kozow[.]com

“While Patchwork uses the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers. Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding of who sits behind the keyboard,” the researchers said.