Security News > 2022 > January > BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks
Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science.
"Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own , resulting in captured keystrokes and screenshots of their own computer and virtual machines," Malwarebytes Threat Intelligence Team said in a report published on Friday.
"The code used by this threat actor is copy-pasted from various online forums, in a way that reminds us of a patchwork quilt," researchers from the now-defunct Israeli cybersecurity startup Cymmetria noted in its findings published in July 2016.
Over the years, successive covert operations staged by the actor have attempted to drop and execute QuasarRAT as well as an implant named BADNEWS that acts as a backdoor for the attackers, providing them with full control over the victim machine.
The latest campaign is no different in that the adversary lures potential targets with RTF documents impersonating Pakistani authorities that ultimately act as a conduit for deploying a new variant of the BADNEWS trojan called Ragnatela - meaning "Spider web" in Italian - enabling the operators to execute arbitrary commands, capture keystrokes and screenshots, list and upload files, and download additional malware.
The new lures, which purport to be from the Pakistan Defence Officers Housing Authority in Karachi, contains an exploit for Microsoft Equation Editor that's triggered to compromise the victim's computer and execute the Ragnatela payload. But in what's a case of OpSec failure, the threat actor also ended up infecting their own development machine with the RAT, as Malwarebytes was able to unmask a number of its tactics, including the use of dual keyboard layouts as well as the adoption of virtual machines and VPNs such as VPN Secure and CyberGhost to conceal their IP address.
News URL
https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.html
Related news
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- Hackers Abuse Russian Bulletproof Host Proton66 for Global Attacks and Malware Delivery (source)
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families (source)
- ⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More (source)
- Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks (source)
- North Korean hackers adopt ClickFix attacks to target crypto firms (source)
- Open-source malware doubles, data exfiltration attacks dominate (source)
- Microsoft Warns of Tax-Themed Email Attacks Using PDFs and QR Codes to Deliver Malware (source)