Patchwork, a malicious actor based in India, accidentally got infected with a Remote Administration Trojan (RAT). The ironic incident was discovered by Malwarebytes, who took the opportunity to better understand how Patchwork uses RTF files to broadcast the RAT BADNEWS (Ragnatela).
Ironically, all of the information we gathered was made possible by the threat actor becoming infected with his own RAT, resulting in keystrokes and screenshots being captured from his own computer. and its virtual machines, ”explained Malwarebytes.
In a recent attack, Patchwork spread malicious files masquerading as Pakistani authorities. Documents were sent as attachments which appeared legitimate and important. Instead, the files contained an exploit that can compromise a computer and then run the RAT.
The following organizations have been successfully compromised by Patchwork’s efforts, according to Malwarebytes:
- Ministry of Defense – Government of Pakistan
- Abad University of National Defense of Islam
- Faculty of Biological Sciences, UVAS University, Lahore, Pakistan
- International Center for Chemical and Biological Sciences
- HEJ Chemical Research Institute, International Center for Chemical and Biological Sciences, University of Karachi
- SHU University, Molecular Medicine
Patchwork also became infected with RAT, which gave Malwarebytes access to quite a bit of information. Malwarebytes could see that Patchwork uses VirtualBox and VMWare for development. The security company has also determined that Patchwork is using Secure VPN and CyberGhost to mask its IP address.
Comically, Malwarebytes was also able to determine the local weather forecast for the Patchwork machines. “Another piece of information that can be obtained is that the weather at the time was cloudy with 19 degrees and they have not yet updated their Java.”
Malwarebytes notes that Patchwork is not as sophisticated as similar attackers in Russia and North Korea.