Threat hunters have shed light on the tactics, techniques, and procedures used by Patchwork, an Indian-origin hacking group, as part of a renewed campaign that began in late November 2021 and targeted Pakistani government entities and individuals working in molecular medicine and biological science research.
Pakistan’s Ministry of Defense, National Defense University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, and Salim Habib University are among the notable victims (SBU).
The espionage group gets its name from the fact that most of the code used for its malware tooling was copied and pasted from various publicly available sources on the web. It is best known for spear-phishing attacks on diplomatic and government agencies in Pakistan, China, U.S. think tanks, and other targets in the Indian subcontinent.
Researchers from the now-defunct Israeli cybersecurity startup Cymmetria stated in their results published in July 2016 that “the code utilized by this threat actor is copy-pasted from numerous internet
The latest campaign is similar in that the adversary entices potential victims with RTF documents posing as Pakistani authorities, which then serve as a conduit for the distribution of Ragnatela, a new variant of the BADNEWS trojan that allows the operators to run arbitrary commands, capture keystrokes and screenshots, list and upload files, and download additional malware.
The new lures, ostensibly from the Pakistan Defence Officers Housing Authority (DHA) in Karachi, include a Microsoft Equation Editor exploit that is used to corrupt the victim’s PC and execute the Ragnatela payload.
However, in a case of OpSec failure, the threat actor also infected their own development machine with the RAT, as Malwarebytes was able to unmask a number of its tactics, including the use of dual keyboard layouts (English and Indian), as well as the use of virtual machines and VPNs like VPN Secure and CyberGhost to hide their IP address.