Indian APT exposes its Modus Operandi by infecting their own devices

Indian APT exposes its Modus Operandi by infecting their own devices

The IT security researchers at Malwarebytes have published a report revealing details of an ironic incident involving Patchwork APT, an Indian threat actor who exposed their entire operation after infecting their devices with a variant of BADNEWS Remote Administration Trojan (RAT).

The RAT was intended to be used by the group against its adversaries. However, the incident allowed researchers to gather information about the new variant, how the group functions, what are its aims and targets.

Ragnatela RAT + its capabilities

Dubbed Ragnatela which means spider’s web in Italian; the RAT was developed and tested in November last year. According to Malwarebytes Threat Intelligence Team, Ragnatela is capable of taking screenshots, logging keystrokes, collecting a list of files, and running apps, uploading files, and dropping payloads on the targeted devices.

Information collected from infected devices

Although researchers were able to collect information on Patchwork APT’s Modus Operandi, additional details revealed that the group uses VPN Secure and CyberGhost VPN to mask its IP address.

Furthermore, researchers were able to witness VirtualBox and VMware used by the threat actor for testing and development of its malicious software. 

Indian APT exposes its Modus Operandi by infecting  their own devices
Capabilities of Ragnatela – The keyboard used by the main host shows dual layouts (English and Indian) – Image: Malwarebytes

Pakistani researchers under attack

For your information, Patchwork (aka Chinastrats and Dropping Elephant) is an advanced persistent threat (APT) group which has been active since December 2015. The group is known for targeting political and military targets, especially those in Pakistan

However, a sneak peek at the latest information collected by Malwarebytes Threat Intelligence Team discloses that for the very first time the group employed malicious RTF files to carry out spear phishing attacks against faculty members in several Pakistani universities. 

What’s worth noting is that these faculty members were involved in research related to biological science and molecular medicine rather than associated with military or politics.

Indian APT exposes its Modus Operandi by infecting their own devices
One of the malicious documents used by threat actor – Image: Malwarebytes

More bad news for Pakistan

In its report, Malwarebytes has confirmed that Patchwork managed to achieve its targets by successfully compromising users/faculty members in the following institutions:

  • SHU University, Molecular medicine
  • National Defense University of Islamabad
  • Ministry of Defense- Government of Pakistan
  • International center for chemical and biological sciences
  • Faculty of Bio-Science, UVAS University, Lahore, Pakistan
  • HEJ Research Institute of Chemistry, International center for chemical and biological sciences, university of Karachi.

“Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding of who sits behind the keyboard — The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs, is not as sophisticated as their Russian and North Korean counterparts,”

Threat Intelligence Team
1 comment

Comments are closed.

Related Posts