A well-known Indian-linked cyber organization has unintentionally revealed its operations to security experts after infecting itself with its own homemade remote access trojan (RAT).
After inadvertently infecting its own development environment with a remote access Trojan (RAT), the Indian threat group has exposed its inner workings and vulnerabilities.
Malwarebytes tagged this cyber group as Patchwork, which is monitored under the names of Chinastrats, Monsoon, Hangover Group, and Dropping Elephant.
As reported by ZDNet, this cyber group has been active since at least 2015 and is actively initiating campaigns to implant RATs for the sake of data theft and other harmful activities.
The organization targeted specific faculty members from research institutions, focusing on biological and molecular sciences in one of the most recent attack waves linked to Patchwork.
Spreading The New Variant Ragnatela
Patchwork employed malicious RTF files to deploy a variation of the BADNEWS RAT (Ragnatela Remote Administration Trojan) in its most current campaign, which ran from late November to early December 2021.
The Ragnatela RAT cyber infection has the capabilities to conduct commands, take screenshots of the screen, collect keystrokes, harvest sensitive files and a list of running programs, deploy additional payloads and transfer data.
According to Security Week, Ragnatela is an Italian word that means "spider web."
Ragnatela is a new variation of BADNEWS RAT.
To spread the effects of this malware, the cyber attackers used spear-phishing emails with malicious RTF files imitating Pakistani authorities to spread malware.
The Ragnatela RAT was created in late November, around the same time that the campaign began, according to Malwarebytes.
The virus and the server with which it spoke were both tested in late November, just before the attacks began.
Cybercriminals Exposing Themselves
After Patchwork managed to infect its own systems with its own RAT creation, resulting in captured keystrokes and screenshots of its own PC and virtual machines, the Malwarebytes team announced on Jan. 7 that it was able to probe into the advanced persistent threat (APT) group's activities.
Bleeping Computer stated that the Threat Intelligence Team of Malwarebytes Labs' informed that oddly enough, all the information acquired was made possible by the threat actor accidentally infecting themselves with their own RAT, which exposed their captured keystrokes and screenshots from their own computer and virtual machines.
The researchers were able to watch the PatchWork operators while utilizing VirtualBox and VMware for testing and web development, as well as testing on PCs with dual keyboard layouts, after realizing that they had infected their own development systems with the RAT.
Victims of Patchwork
While observing their operations, Patchwork, like some other East Asian APTs, uses virtual computers and VPNs to develop, disseminate updates, and monitor their victims.
However, it was noted that it is not as sophisticated as its Russian and North Korean competitors.
After seizing the vulnerability of the cyber threat group, it was reported that they were able to compromise Pakistan's Ministry of Defense and faculty members from molecular medicine and biological science departments at a number of universities, including the National Defense University of Islam Abad, UVAS University's Faculty of Bio-Science, the Karachi HEJ Research Institute, and SHU University.
In addition to the list of victims they compromised, in March 2018, PatchWork operators used the same approach of sending malicious RTF files to compromise their victims' devices and a QuasarRAT malware variant to target the US think tanks in several spear-phishing campaigns.