Malwarebytes researchers have detailed an Indian hacking group named Patchwork after the group infected its own system in the hacking flow!
From that, the researchers were able to gain the keystrokes, hacking tactics, and details on their VPN usage and unmasked IP addresses. Patchwork is seen targeting Pakistan’s government entities working on molecular medicine and biological science, through updated BADNEWS! malware.
While it’s common that few noob hackers expose their tricks unknowingly, state-backed hacking groups don’t do so as they’re specialized in concealing their works. Yet, we see some snippets left by them here and there, which let researchers trace them. And again, there are hacking groups like Patchwork, who exposed themselves completely in a broad mistake.
As revealed by the Malwarebytes researchers, the Indian origin hacking group called Patchwork, has exposed itself in pursuit of hacking Pakistan government entities. Patchwork is said to be in operation since 2015 and tracked as Dropping Elephant, Chinastrats by Kaspersky, Quilted Tiger by CrowdStrike Monsoon by Forcepoint, Zinc Emerson, TG-4410 by SecureWorks), and APT-C-09 by Qihoo 360 teams.
The Patchwork team received its name after the malware tools of this group are mostly copy-pasted from publicly available sources. They spread through phishing emails as the initial vector, and drop QuasarRAT and a backdoor named BADNEWS in the victims’ systems.
In a renewed campaign started by Patchwork in November 2021, the gang started targeting Pakistan entities working on molecular medicine and biological science researchers, from Pakistan’s Ministry of Defense, National Defence University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, and the Salim Habib University (SBU).
This is done in the name of the Pakistan Defence Officers Housing Authority (DHA), by sending a malicious Microsoft Equation Editor that contains an exploit to trigger the Ragnatela payload in the victim’s computer.
Ragnatela is an updated version of BADNEWS trojan, which lets the attackers execute arbitrary commands, steal screenshots and keystrokes, and execute files and additional malware.
Malwarebytes researchers said that in an operational failure, the Patchwork gang has infected their own systems, resulting in the exposure of the hacking group’s tactics, which include adoption of virtual machines, usage of dual keyboard layouts (English and Indian), and IP addresses from VPNs like the VPN Secure and CyberGhost.