A well-known cyber organization linked to India inadvertently disclosed its operations to security experts after it infected itself using a home-made remote access trojan (RAT).
After inadvertently infecting its development environment with a remote access trojan (RAT), the Indian threat group exposed its inner workings and vulnerabilities.
Malwarebytes has flagged this online group as Patchwork, which is monitored under the names Chinastrats, Monsoon, Hangover Group, and Dropping Elephant.
As reported by ZDNet, this cyber group has been active since at least 2015 and is actively starting campaigns to plant RATs for data theft and other malicious activities.
The organization targeted certain faculty members from research institutions, focusing on the biological and molecular sciences in one of the latest waves of attack linked to Patchwork.
Publish the new variant Ragnatela
Patchwork used malicious RTF files to spread a variety of BADNEWS RAT (Ragnatela Remote Administration Trojan) in its latest campaign, which ran from late November to early December 2021.
Ragnatela RAT cyber infection has the ability to perform commands, take screenshots of the screen, collect keystrokes, collect sensitive files and list of running programs, deploy additional payloads and transfer data.
According to Security Week, Ragnatela is an Italian word for “spider web.”
Ragnatela is a new type of BADNEWS RAT.
To spread the effects of this malware, cyber attackers have used spear phishing messages containing malicious RTF files to imitate Pakistani authorities to spread the malware.
The Ragnatela RAT was set up in late November, around the same time the campaign began, according to Malwarebytes.
Both the virus and the server it spoke to in late November, just before the attacks began, were tested.
Riad too: Afraid data brokers are selling your personal information? This first tool prevents this from happening
Cyber criminals expose themselves
After Patchwork was able to infect its own systems by creating its own RAT, capturing keystrokes and screenshots of its computers and virtual machines, the Malwarebytes team announced on January 7 that it was able to investigate Advanced Persistent Threat (APT) group activities. .
Bleeping Computer reports that Malwarebytes Labs’ Threat Intelligence team reported that it was strange that all the information obtained was made possible by a threat actor who accidentally infected himself using his own RAT, which revealed keystrokes and screenshots from computers and its virtual machines.
The researchers were able to watch PatchWork operators use VirtualBox and VMware for testing and web development, as well as testing on computers with dual keyboard layouts, after realizing that they had infected their development systems with RAT.
While monitoring their operations, Patchwork, like some other APTs in East Asia, uses virtual computers and VPNs to develop, deploy updates, and monitor their victims.
However, it was noted that it is not as advanced as its Russian and North Korean competitors.
After capturing the cyber threat group vulnerability, it was reported that they managed to hack the Pakistani Ministry of Defense and faculty from the departments of Molecular Medicine and Biological Sciences at a number of universities, including the National Defense University in Islamabad, and UVAS University. College of Biosciences, Karachi HEJ Research Institute, and SHU University.
In addition to the list of hacked victims, in March 2018, PatchWork operators used the same method to send malicious RTF files to hack their victims’ computers and the QuasarRAT malware variant to target US research centers in several spear phishing campaigns.
Related articles: T-Mobile data breach: The company confirms that a SIM swap attack has affected some consumers