After becoming infected with its own Remote Access Trojan (RAT), a cyberespionage group linked to India accidentally exposed its operations to security researchers.
The menacing actor has been active since at least December 2015 and is being tracked as PatchWork (aka Dropping Elephant, Chinastrats or Quilted Tiger) due to the use of copy-paste code.
During PatchWork’s most recent campaign, between late November and early December 2021, Malwarebytes Labs observed threat actors using malicious RTF documents masquerading as Pakistani authorities to infect targets with a new variant of BADNEWS RAT, known as Ragnatela.
The Ragnatela RAT enables threat actors to execute commands, capture screen snapshots, log keystrokes, harvest sensitive files and a list of running applications, deploy additional payloads and download files.
Ironically, all of the information we gathered was made possible by the threat actor becoming infected with his own RAT, resulting in keystrokes and screenshots being captured from his own computer and its virtual machines ” Malwarebytes Labs Threat Intelligence Team Explained.
After discovering that PatchWork operators infected their own development systems with RAT, researchers were able to monitor them while using VirtualBox and VMware for testing and web development and testing on dual keyboard computers ( i.e. English and Indian).
While observing their operations, they also obtained information on targets the group compromised, including the Pakistan Ministry of Defense and faculty members from the departments of molecular medicine and biological sciences at several universities such as the Islam Abad National Defense University, UVAS University Faculty of Biochemistry. Science, Karachi HEJ Research Institute and SHU University.
“Using data captured by the threat actor’s own malware, we were able to better understand who is behind the keyboard,” added Malwarebytes Labs.
“The group uses virtual machines and VPNs to develop, push updates and verify their victims. Patchwork, like some other East Asian APTs, is not as sophisticated as their Russian and North Korean counterparts.
PatchWork operators already have targeted American think tanks in March 2018 in several spear-phishing campaigns using the same tactic of pushing malicious RTF files to compromise the systems of their victims and a variant of QuasarRAT malware.
Two months earlier, in January 2018, they were observed pushing guns documents delivering malware BADNEWS in attacks against targets in the Indian subcontinent.
They were also behind a spear-phishing campaign targeting employees of a European government organization end of May 2016.