The threat landscape is dangerous, now more than ever. However, sometimes they also make hilarious mistakes that hugely benefit the cybersecurity industry. One such mistake was most recently made by an Indian APT group that infected itself with its own malware, providing researchers the opportunity to glean details of the group’s operations.
Diving into details
Patchwork APT has been active since December 2015 and primarily targets Pakistan via spear-phishing attacks. During its latest campaign, from November to December 2021, the group used malicious RTF documents, pretending to be from Pakistani officials, to deploy a new strain of the BADNEWS RAT, also known as Ragnatela. However, Malwarebytes Labs discovered that the threat actor infected itself with the malware, leading to captured keystrokes and screenshots of their own systems and virtual machines.
What this implies
Researchers monitored the cyberspies using VirtualBox and VMware for web development and testing on computers with dual keyboards - Indian and English. These observations revealed that Patchwork infected Pakistan’s Ministry of Defense and faculty members from biological science and molecular medicine departments from various universities. The researchers, moreover, found that the gang uses virtual machines and VPNs to develop, check on victims, and push updates. Nevertheless, the group is not as sophisticated as other APT groups from North Korea and Russia.
Ragnatela means spider web in Italian and was first developed and tested in November 2021. The same month, the attackers tested the side-loading in a typical victim system.. Ragnatela can capture screenshots, pilfer a list of files, log keystrokes, and upload files, drop payloads, and run apps in victim devices.
The bottom line
Although Patchwork APT is not as advanced compared to its counterparts, the recent developments indicate that the group is moving on to different targets. This is the first time that the group has targeted molecular medicine and biological science researchers. Be that as it may, the data gained as a result of the group infecting itself has unveiled several details, providing an idea of its operators. This information can be used by security researchers to stay safe from such attacks.