Patchwork APT Indian hacker group targets scientists in a new campaign

Patchwork threat actor recent campaign lasted from late November to early December

APT group released the new malware version and got infected themselves with it, so research team gathered a lot of information

Indian threat actors mainly targeting Pakistani government entities and individuals managed to out a new campaign that researchers have been analyzing. Threat intelligence team^[1] discovered the tactics and procedures that the hacking group used in the renewed campaign which took place in November – December of 2021.^[2]

The discovery is in-depth and thorough because hackers managed to infect themselves with the RAT. This attack captured keystrokes and screenshots of their computers, so the research team had a lot of material for the analysis. Patchwork APT group used malicious files to spread the version of BADNEWS/ Ragnatela remote administration trojan.^[3]

The hacker group is known for spear-phishing attacks. In this recent campaign, hackers targeted various faculty members related to research focused on molecular medicine and biological science. First target like this known to the day. Mainly people from the Pakistan Ministry of Defense, national defense University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore. Faculties in Salim Habib University fell victim to the threat.

Hacker group active since 2015

Patchwork is the cyberespionage group that started the malicious activities back in 2015. The Iranian hackers also are known as Dropping Elephant.^[4] These cybercriminals are identified as Indian or Pro-Indian entities due to the evidence that the attackers mainly target industries related to diplomatic and government agencies.

The code that this hacker group uses was mainly collected from various online forums, and this group is known for operations mainly with spear-phishing methods. These campaigns target the United States think tank groups. The more recent attacks that were widely reported took place in 2018.^[5]

The main goal of the APT group is to steal valuable information like credentials or files. The group uses various tactics and tools to bypass user access controls, encrypt collected files, encode them using the AES algorithm. Hackers can execute scripts on affected drivers, download malicious payloads. Over the years, these functions evolved, and threat actors can collect and copy various files, store them on separate servers and make money or use the data for additional campaigns.

The newest version of the RAT – Ragnatela

The success of this research was determined by the fact that these attackers managed to fall into their own trap and get the remote access trojan on their devices. The analysis shows various techniques and tactics used by the attackers because keystrokes and files got captured by the trojan and later analyzed by the Malwarebytes Threat Intelligence team.

We identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT.

The Ragnatela RAT was recently created, and the program has various malicious features like keystroke logging, downloading additional payloads, and uploading files. The threat can also capture screenshots, execute commands using the command prompt, collect lists of all the files found on the machine, record running applications from particular time periods.

The RAT was distributed by luring victims with documents posing as emails sent from Pakistan authorities. These documents in word formats mainly contain the exploit that compromises the computer and launches the payload of RAT. Researchers managed to understand the group better and determine that patchwork is not as sophisticated as Russian or North Korean groups but can evolve and steal more advanced codes and improve these operations.