The inner workings of an Indian threat group have been exposed after accidentally infecting its own development environment with a Remote Access Trojan (RAT).
dubbing Patched by Malwarebytes And tracked under the names Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, the Indian group has been on the scene since at least 2015 and has actively launched campaigns aimed at deploying RATs for data theft and other malicious activity.
In one of the latest waves of attacks related to Patchwork, the group targeted individual faculty members from research institutions specializing in biomedical and molecular sciences.
On January 7, the Malwarebytes team said that after Patchwork managed to infect its own systems with its own RAT creation, it was able to delve into the activities of advanced persistent threat (APT) groups “leading to attacks that captured their own computers and virtual machines. Keys and screenshots. Machine.”
According to cybersecurity researchers, Patchwork typically relies on spear phishing attacks to send tailored emails to specific targets. A new variant of these emails is designed to delete RTF files containing the BADNEWS RAT.
The latest version of the malware, called Ragnatela, was compiled in November 2021. The Trojan is capable of capturing screenshots, keylogging, listing operating system processes and machine files, uploading malware, and executing other payloads.
After examining Patchwork’s systems, the team determined that Ragnatela was stored as an OLE object in a malicious RTF file, often designed as an official communication from Pakistani authorities. An exploit of a known Microsoft Equation Editor vulnerability was used to perform a RAT.
According to the attacker’s control panel, Malwarebytes was able to name the Pakistani government’s Ministry of Defense, the Defense University of Islamabad, the Faculty of Biological Sciences (FBS) at UVAS University, the HEJ Institute at the University of Karachi, and the Molecular Medicine Department of the University of Shu who was infiltrated by Patchwork.
Patchwork managed to infect its own development machines with Ragnatela, so the researchers were also able to see them using VirtualBox and VMware virtual machines (VMs) for malware testing.
“Other information that was available was that it was cloudy, 19 degrees, and they hadn’t updated their Java,” Malwarebytes said. “More seriously, threat actors use VPN Secure and CyberGhost to mask their IP addresses.”
This is the first time the group has been linked to an attack against the biomedical research community, which may indicate a pivot in Patchwork’s priority targeting.
Previous and related reports
Is there a tip? Get in touch securely via WhatsApp | +447713 025 499 or Signal on Keybase: charlie0
