In a recent campaign, the India-linked threat actor Patchwork was seen using a new form of the BADNEWS backdoor. Still, the hackers also infected one of their own PCs, providing researchers insight into their activities. Patchwork, also known as Dropping Elephant and Chinastrats, is an advanced persistent threat (APT) group that has been active since at least 2015. It primarily targets military and political figures throughout the world, concentrating on Pakistani organizations.
However, Malwarebytes detected the hacking organization targeting “faculty members whose research focus is on molecular medicine and biological science” in November and December 2021, which signals a significant shift in the adversary’s targeting. Furthermore, the campaign was marked by the usage of Ragnatela (“spider web” in Italian), a new variation of the BADNEWS remote access Trojan (RAT). The attackers used phishing emails with malicious RTF files to imitate Pakistani officials to spread malware.
Ragnatela allows attackers to perform commands, enumerate files on the system, identify running apps, record screenshots and log keystrokes, download extra payloads, and upload files after being dumped on a victim’s PC. According to Malwarebytes, the Ragnatela RAT was created in late November, around the same time that the campaign began. The malware and the server it spoke about were tested in late November, just before the attacks started.
The adversary is thought to have successfully compromised multiple entities as part of the campaign, including users at Pakistan’s Ministry of Defense, UVAS University’s Faculty of Bio-Science, Islamabad’s National Defense University, the University of Karachi’s International Center for Chemical and Biological Sciences, and Salim Habib University. The adversary also infected their own system with the new RAT due to a mistake, allowing Malwarebytes to learn more about the development tools used by the APT.
“Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs, is not as sophisticated as their Russian and North Korean counterparts,” said Malwarebytes.