Cyber ​​threat hunters have been able to peer into the kitchen of a group of Indian hackers called Patchwork, where they are preparing their new campaign, which began in late November 2021. The campaign targets Pakistani government agencies and individuals specializing in molecular research and biological sciences.

“Ironically, we were able to collect all this information due to the fact that attackers infected themselves with their own Trojan, which led to the interception of keystrokes and taking screenshots of their computer and virtual machines,” - said a team at Malwarebytes on Friday.

Of the victims who actually fell for the trick of hackers, the largest were:

Pakistani Ministry of Defense;

National Defense University, Islam Abad;

Department of Biological Sciences, UVAS University, Lahore, Pakistan;

International Center for Chemical and Biological Sciences;

The International Center for Chemical and Biological Sciences at the University of Karachi;

Department of Molecular Medicine, SHU University

As far as we know, Patchwork APT has been operating since 2015 and has also appeared in wider circles of the information security community under the pseudonyms Dropping Elephant, Chinastrats (Kaspersky), Quilted Tiger (CrowdStrike), Monsoon (Forcepoint), Zinc Emerson, TG-4410 (SecureWorks) and APT-C-09 (Qihoo 360).

The spy group is famous for its spear phishing campaigns targeting diplomatic and government agencies in Pakistan, China, think tanks in the United States, and other targets located in the Indian subcontinent.

As for its name *, it is based on the fact that most of the code on which the malware distributed by hackers is built was copied from various public network resources.

* Patchwork - a hodgepodge or something assembled from many components, patches.

"The code used by the attackers was copied from various online forums in such a way that its structure resembles a patchwork quilt." - noted researchers from the already closed cybersecurity startup Cymmetria back in July 2016.

Throughout these years, the ongoing hacker operations have consisted of deploying and executing QuasarRAT in conjunction with the BADNEWS implant, which acts as a backdoor, giving attackers complete control over the victim's machine. In January 2021, the group was also seen exploiting a remote code execution vulnerability in Microsoft Office (CVE-2017-0261), through which hackers delivered payloads to target machines.

In the latest campaign, the hackers also did not distinguish themselves with originality and catch potential victims with RTF documents, allegedly from the government structures of Pakistan, through which they eventually deploy a new version of the BADNEWS Trojan called Ragnatela - a "spider web" in Italian. Ragnatela allows operators to execute arbitrary commands, intercept keystrokes, take screenshots, download files, and upload other malware.

These new decoys, which mimic a call from the Pakistani Defense Officers Housing Authority (DHA), contain an exploit for the Microsoft Equation Editor that, when activated, compromises the victim's computer and executes the Ragnatela payload.

However, due to a mistake made during the OpSec events, the attackers also infected their own development machine, which allowed Malwarebytes to learn some of the nuances of their tactics, including the use of a bilingual keyboard layout (English / Indian) on the host, as well as IP hiding through virtual machines and VPN services such as CyberGhost and VPN Secure.

“Despite the use of the same decoys and RATs, the group has shown interest in new types of victims,” concluded Malwarebytes. "This is the first time we've seen Patchwork targeting life science researchers."

Translation news BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks

bbabo.Net