Indian hackers target Pakistani Strategic Organizations

[Bratva]

Patchwork APT caught in its own web
Posted: January 7, 2022 by Threat Intelligence Team

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).

What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.

Instead of focusing entirely on victimology, we decided to shade some light on this APT. Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines.

Ragnatela
We identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT.


Figure 1: Patchwork’s Ragnatela panel
Ragnatela RAT was built sometime in late November as seen in its Program Database (PDB) path “E:\new_ops\jlitest __change_ops -29no – Copy\Release\jlitest.pdb”. It features the following capabilities:

• Executing commands via cmd
• Capturing screenshots
• Logging Keystrokes
• Collecting list of all the files in victim’s machine
• Collecting list of the running applications in the victim’s machine at a specific time periods
• Downing addition payloads
• Uploading files

Figure 2: Ragnatela commands

In order to distribute the RAT onto victims, Patchwork lures them with documents impersonating Pakistani authorities. For example, a document called EOIForm.rtf was uploaded by the threat actor onto their own server at karachidha[.]org/docs/.


Figure 3: Threat actor is logged into their web control panel

That file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and execute the final payload (RAT).


Figure 4: Malicious document triggers exploit

That payload is stored within the RTF document as an OLE object. We can deduce the file was created on December 9 2021 based on the source path information.

Figure 5: OLE object containing RAT

Ragnatela RAT communicates with the attacker’s infrastructure via a server located at bgre.kozow[.]com. Prior to launching this campaign (in late November), the threat actor tested that their server was up and running properly.


Figure 6: Log of threat actor typing a ping command

The RAT (jli.dll) was also tested in late November before its final compilation on 2021-12-09, along with MicroScMgmt.exe used to side-load it.


Figure 7: DLL for the RAT being compiled

Also in late November, we can see the threat actor testing the side-loading in a typical victim machine.


Figure 8: Threat actor tests RAT

Victims and victim

We were able to gain visibility on the victims that were successfully compromised:

• Ministry of Defense- Government of Pakistan
• National Defense University of Islam Abad
• Faculty of Bio-Science, UVAS University, Lahore, Pakistan
• International center for chemical and biological sciences
• HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
• SHU University, Molecular medicine

Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).

Figure 9: Virtual machine running on top of threat actor’s main computer

Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet. On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.

Figure 10: Threat actor uses VPN-S

Under the VPN they log into their victim’s email and other accounts stolen by the RAT.



Figure 11: Threat actor logs into his victim’s email using CyberGhost VPN

Conclusion

This blog gave an overview of the latest campaign from the Patchwork APT. While they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers.
Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs is not as sophisticated as their Russian and North Korean counterparts.

Indicators of Compromise
Lure
karachidha[.]org/docs/EOIForm.rtf
5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6
RAT
jli.dll
3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3
C2
bgre[.]kozow[.]com

Patchwork APT caught in its own web

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks….

blog.malwarebytes.com

 

[ARMalik]

Well I started a thread in November last year, which no one seems to be interested in since they are too busy eating their halva puri. The link is below. The Chinese have been keeping an eye on this group since 2017.

==================================

Exclusive: New hacker group from India exposed, targeting defense units in China, Pakistan

https://www.globaltimes.cn/page/202111/1239441.shtml Exclusive: New hacker group from India exposed, targeting defense units in China, Pakistan A new report published by Antiy Labs, one of China's renowned cybersecurity companies, disclosed an active hacker team whose members are based in...

defence.pk

Exclusive: New hacker group from India exposed, targeting defense units in China, Pakistan

A new report published by Antiy Labs, one of China's renowned cybersecurity companies, disclosed an active hacker team whose members are based in Delhi and has been launching cyberattacks against government agencies and defense departments in China and Pakistan.

The report conducted a comprehensive analysis of the cyberattacks launched by the organization called You Xiang (baby elephant in English) in South Asia, revealing its target, technology and equipment, and exposing the attackers who wear "invisible clothes" and hide behind screens.

The company's vice chief engineer, Li Bosong, told the Global Times on Friday that they first detected "baby elephant" activities in 2017, when a number of large-scale targeted cyberattacks on the government, military and defense departments of South Asian countries were found.

According to the analysis of their activities, it was found that the group is suspected to be from India, and is not the same as another hacker group from India named "white elephant."

The organization had its own set of relatively independent attack resources and tools, but the attack capability was relatively primary at that time. It might be a newly established attack team with immature technical capabilities. "That's why we've named this new, advanced threat organization 'baby elephant,'" Li said.

Four years since, the "baby elephant" is on the rampage, expanding their targets. "Since 2017, the number of 'baby elephant' attacks has doubled each year, and the attack methods and resources have gradually become richer, and the target has started to cover more areas in South Asia," Li said. "In 2021, the group began targeted attacks on Chinese institutions for intelligence theft."

The attacks detected by Antiy Labs include setting up phishing websites, attacking mobile phones with malicious Android applications, and Trojans written in languages such as Python to steal various documents, browser cache passwords and other host system environment information from computers.

For example, the "baby elephant" used to disguise itself as the mail system of the Nepalese army, police, and government, including Nepal's Ministry of Foreign Affairs, the Ministry of National Defense, and the Prime Minister's office to launch targeted attacks to obtain email accounts to carry out subsequent attacks.

It also pretended to be a polling app for India-Nepal territorial disputes using malicious Android applications. After the victim installs and opens the malicious Android application, the application will ask for system permissions from users. If the permissions are granted, it will monitor the victim's mobile phone.

The highlight from the report is that the location of those hackers was exposed when the group uploaded their Trojan horses to public security resources to test the ability of the Trojan horses to escape anti-virus software. Resources retrieval showed at least one sample uploader was from Delhi, India. The hacker had uploaded eight test malicious files from November 23 to November 24, 2020. Those samples shared a high degree of similarity in code content with those from the "baby elephant."

Judging from previous activities, some hacking organizations from India are not very concealed. One is because of its imperfect attacking capability, but more importantly, it reflects the have-nothing-to-fear mindset of those attackers. The physical location of one attacker most likely represents the location of the entire hacking organization, Li said.

"Despite constantly diversifying attacking methods and more abundant functions of the malicious files, attacks could still be traced to the "baby elephant" based on its targets, tactics and decoys and Trojan homology," Li said.

The targets of the attacks overlap, such as those in Nepal, Pakistan, and Afghanistan. Techniques and tactics that they used are similar to the behavior of the "baby elephant" in the early stage, including malicious shortcuts, malicious HTA scripts and Python Trojan horses, according to Li.

Li also pointed out the similarity of their domain names, which all tend to imitate the official domain names of government organs and state-owned enterprises in Pakistan, Nepal and Sri Lanka. They also tended to adopt the dynamic domain names under the US network service provider No-IP, such as hopto.org and myftp.org.

Multiple signs showed that the "baby elephant" has already become one of the most active and mature cyberattack organizations that threaten the cybersecurity of South Asia and Asia-Pacific.

It is also likely to become the main attack group in South Asia in the future, Li said, calling for attention to be paid on the "baby elephant."

Victim countries attacked by the "baby elephant" are usually weak economically, in digital maintenance and cybersecurity capabilities. But like any other country, they enjoy the right to defend their sovereignty, security and interests, Li pointed out.

In a previous interview, Antiy Labs told the Global Times that since March, they have detected several phishing activities targeting government, defense and military units, as well as state-owned enterprises in China, Pakistan, and Nepal. The organization behind the attacks is from India and its activities can be traced to as early as April 2019.

More first-hand materials the Global Times obtained from several of China's leading cybersecurity companies have further revealed a sophisticated network: top hackers from South Asia, mainly from India, have constantly attacked defense and military units as well as state-owned enterprises in China, Nepal and Pakistan in the past few years, and such attacks are on the rise under new disguises of international trending topics.

 

[TheSnakeEatingMarkhur]

Patchwork APT caught in its own web
Posted: January 7, 2022 by Threat Intelligence Team

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).

What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.

Instead of focusing entirely on victimology, we decided to shade some light on this APT. Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines.

Ragnatela
We identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT.


Figure 1: Patchwork’s Ragnatela panel
Ragnatela RAT was built sometime in late November as seen in its Program Database (PDB) path “E:\new_ops\jlitest __change_ops -29no – Copy\Release\jlitest.pdb”. It features the following capabilities:

• Executing commands via cmd
• Capturing screenshots
• Logging Keystrokes
• Collecting list of all the files in victim’s machine
• Collecting list of the running applications in the victim’s machine at a specific time periods
• Downing addition payloads
• Uploading files

Figure 2: Ragnatela commands

In order to distribute the RAT onto victims, Patchwork lures them with documents impersonating Pakistani authorities. For example, a document called EOIForm.rtf was uploaded by the threat actor onto their own server at karachidha[.]org/docs/.


Figure 3: Threat actor is logged into their web control panel

That file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and execute the final payload (RAT).


Figure 4: Malicious document triggers exploit

That payload is stored within the RTF document as an OLE object. We can deduce the file was created on December 9 2021 based on the source path information.

Figure 5: OLE object containing RAT

Ragnatela RAT communicates with the attacker’s infrastructure via a server located at bgre.kozow[.]com. Prior to launching this campaign (in late November), the threat actor tested that their server was up and running properly.


Figure 6: Log of threat actor typing a ping command

The RAT (jli.dll) was also tested in late November before its final compilation on 2021-12-09, along with MicroScMgmt.exe used to side-load it.


Figure 7: DLL for the RAT being compiled

Also in late November, we can see the threat actor testing the side-loading in a typical victim machine.


Figure 8: Threat actor tests RAT

Victims and victim

We were able to gain visibility on the victims that were successfully compromised:

• Ministry of Defense- Government of Pakistan
• National Defense University of Islam Abad
• Faculty of Bio-Science, UVAS University, Lahore, Pakistan
• International center for chemical and biological sciences
• HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
• SHU University, Molecular medicine

Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).

Figure 9: Virtual machine running on top of threat actor’s main computer

Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet. On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.

Figure 10: Threat actor uses VPN-S

Under the VPN they log into their victim’s email and other accounts stolen by the RAT.



Figure 11: Threat actor logs into his victim’s email using CyberGhost VPN

Conclusion

This blog gave an overview of the latest campaign from the Patchwork APT. While they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers.
Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs is not as sophisticated as their Russian and North Korean counterparts.

Indicators of Compromise
Lure
karachidha[.]org/docs/EOIForm.rtf
5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6
RAT
jli.dll
3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3
C2
bgre[.]kozow[.]com

Patchwork APT caught in its own web

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks….

blog.malwarebytes.com

Why can't we build a group like Unit 8200 or atleast something on that level ? It's not hard to spot talent and then nurture it.

Secondly Pakistan needs to train all govt workers regarding these threats.

And indians are using off the shelf software but those software can only be acquired either by state or people with links to black market so why can't we do the same ?

 

[One_Nation]

Indian IT at work. Scammers fraudsters from India ahould be taken as a serious global threat.

 

[TheSolution]

Why can't we build a group like Unit 8200 or atleast something on that level ? It's not hard to spot talent and then nurture it.

Secondly Pakistan needs to train all govt workers regarding these threats.

And indians are using off the shelf software but those software can only be acquired either by state or people with links to black market so why can't we do the same ?

I think we did open a cyber security academy a year ago didn't we?

Loading...

 

[Pak Nationalist]

Well I started a thread in November last year, which no one seems to be interested in since they are too busy eating their halva puri. The link is below. The Chinese have been keeping an eye on this group since 2017.

==================================

Exclusive: New hacker group from India exposed, targeting defense units in China, Pakistan

https://www.globaltimes.cn/page/202111/1239441.shtml Exclusive: New hacker group from India exposed, targeting defense units in China, Pakistan A new report published by Antiy Labs, one of China's renowned cybersecurity companies, disclosed an active hacker team whose members are based in...

defence.pk

Exclusive: New hacker group from India exposed, targeting defense units in China, Pakistan

A new report published by Antiy Labs, one of China's renowned cybersecurity companies, disclosed an active hacker team whose members are based in Delhi and has been launching cyberattacks against government agencies and defense departments in China and Pakistan.

The report conducted a comprehensive analysis of the cyberattacks launched by the organization called You Xiang (baby elephant in English) in South Asia, revealing its target, technology and equipment, and exposing the attackers who wear "invisible clothes" and hide behind screens.

The company's vice chief engineer, Li Bosong, told the Global Times on Friday that they first detected "baby elephant" activities in 2017, when a number of large-scale targeted cyberattacks on the government, military and defense departments of South Asian countries were found.

According to the analysis of their activities, it was found that the group is suspected to be from India, and is not the same as another hacker group from India named "white elephant."

The organization had its own set of relatively independent attack resources and tools, but the attack capability was relatively primary at that time. It might be a newly established attack team with immature technical capabilities. "That's why we've named this new, advanced threat organization 'baby elephant,'" Li said.

Four years since, the "baby elephant" is on the rampage, expanding their targets. "Since 2017, the number of 'baby elephant' attacks has doubled each year, and the attack methods and resources have gradually become richer, and the target has started to cover more areas in South Asia," Li said. "In 2021, the group began targeted attacks on Chinese institutions for intelligence theft."

The attacks detected by Antiy Labs include setting up phishing websites, attacking mobile phones with malicious Android applications, and Trojans written in languages such as Python to steal various documents, browser cache passwords and other host system environment information from computers.

For example, the "baby elephant" used to disguise itself as the mail system of the Nepalese army, police, and government, including Nepal's Ministry of Foreign Affairs, the Ministry of National Defense, and the Prime Minister's office to launch targeted attacks to obtain email accounts to carry out subsequent attacks.

It also pretended to be a polling app for India-Nepal territorial disputes using malicious Android applications. After the victim installs and opens the malicious Android application, the application will ask for system permissions from users. If the permissions are granted, it will monitor the victim's mobile phone.

The highlight from the report is that the location of those hackers was exposed when the group uploaded their Trojan horses to public security resources to test the ability of the Trojan horses to escape anti-virus software. Resources retrieval showed at least one sample uploader was from Delhi, India. The hacker had uploaded eight test malicious files from November 23 to November 24, 2020. Those samples shared a high degree of similarity in code content with those from the "baby elephant."

Judging from previous activities, some hacking organizations from India are not very concealed. One is because of its imperfect attacking capability, but more importantly, it reflects the have-nothing-to-fear mindset of those attackers. The physical location of one attacker most likely represents the location of the entire hacking organization, Li said.

"Despite constantly diversifying attacking methods and more abundant functions of the malicious files, attacks could still be traced to the "baby elephant" based on its targets, tactics and decoys and Trojan homology," Li said.

The targets of the attacks overlap, such as those in Nepal, Pakistan, and Afghanistan. Techniques and tactics that they used are similar to the behavior of the "baby elephant" in the early stage, including malicious shortcuts, malicious HTA scripts and Python Trojan horses, according to Li.

Li also pointed out the similarity of their domain names, which all tend to imitate the official domain names of government organs and state-owned enterprises in Pakistan, Nepal and Sri Lanka. They also tended to adopt the dynamic domain names under the US network service provider No-IP, such as hopto.org and myftp.org.

Multiple signs showed that the "baby elephant" has already become one of the most active and mature cyberattack organizations that threaten the cybersecurity of South Asia and Asia-Pacific.

It is also likely to become the main attack group in South Asia in the future, Li said, calling for attention to be paid on the "baby elephant."

Victim countries attacked by the "baby elephant" are usually weak economically, in digital maintenance and cybersecurity capabilities. But like any other country, they enjoy the right to defend their sovereignty, security and interests, Li pointed out.

In a previous interview, Antiy Labs told the Global Times that since March, they have detected several phishing activities targeting government, defense and military units, as well as state-owned enterprises in China, Pakistan, and Nepal. The organization behind the attacks is from India and its activities can be traced to as early as April 2019.

More first-hand materials the Global Times obtained from several of China's leading cybersecurity companies have further revealed a sophisticated network: top hackers from South Asia, mainly from India, have constantly attacked defense and military units as well as state-owned enterprises in China, Nepal and Pakistan in the past few years, and such attacks are on the rise under new disguises of international trending topics.

One word, impunity. Yet to find any evidence of Pakistani state-backed groups doing the same to our foes. This here is the extension of the game of intelligence. Our intelligence agencies should move on from honey traps into the 21st-century stuff, perhaps. Having access to information from a single source is less effective than compromising an entire network and making it volunteer information.

 

[arjunk]

Why can't we build a group like Unit 8200 or atleast something on that level ? It's not hard to spot talent and then nurture it.

Because many old people in charge do not want to give young people positions of power. They also have a superiority complex and think young people are less capable because of their age.

And indians are using off the shelf software but those software can only be acquired either by state or people with links to black market so why can't we do the same ?

I would use this type of software often but PTA has blocked VPN, making it very easy to trace the attacker. This deters a lot of people from getting into this sort of stuff. Meanwhile Indians on twitter who hack Pakistani orgs get recruited by the government:

 

[TheSolution]

Because many old people in charge do not want to give young people positions of power. They also have a superiority complex and think young people are less capable because of their age.

Ignorant, I know young people who could probably do more damage electronically than what Pakistan seems to be doing. (unless they are just doing so good, no one has caught them)

Remember the kid who managed to phish Elon Musk's, Bill Gates', etc, Twitter accounts? There's a whole underground group of them, and that wasn't his first rodeo either, he just took it too far once he went with high profile individuals. It initially started with stealing high-value Twitter usernames and selling them.

 

[Rafi]

Everyone is doing this, spying on friends and enemies alike...............nuff said.

 

[S A L M A N.]

In the cyber domain at least, Pakistan is entirely at the mercy of its enemies. I have no doubt in my mind that a large number of our communication networks and machines in the govt, armed forces and other sensitive institutions are compromised. And I haven't even included the private sector (cellular companies, ISPs, banks, e-commerce companies).
The reason why we have remained safe from some big conflagration is more because our enemy had lacked the political will and institutionalization/organizational wherewithal to accomplish this rather than our own 'professionalism' or 'impregnable defence'.
But we must realize that the capabilities of our enemies are improving at an alarming pace and that the probability of remaining safe in the cyber domain is degrading.

 

[TheSolution]

In the cyber domain at least, Pakistan is entirely at the mercy of its enemies. I have no doubt in my mind that a large number of our communication networks and machines in the govt, armed forces and other sensitive institutions are compromised. And I haven't even included the private sector (cellular companies, ISPs, banks, e-commerce companies).
The reason why we have remained safe from some big conflagration is more because our enemy had lacked the political will and institutionalization/organizational wherewithal to accomplish this rather than our own 'professionalism' or 'impregnable defence'.
But we must realize that the capabilities of our enemies are improving at an alarming pace and that the probability of remaining safe in the cyber domain is degrading.

Agreed, but I feel there may be a small possibility that we have deals signed with Chinese cyber security companies for some degree of protection. Like the article shared earlier clearly states the Chinese came to a conclusion that both Pakistan and China were both under a cyber threat directly from India, so it's likely some discussion was had between both sides. I'd like to believe we aren't this naive, but it's hard to tell.

This could have possibly led to this: https://startuppakistan.com.pk/pakistan-introduces-its-first-ever-national-cyber-security-academy/

I do believe we are compromised though, Indians likely have American and Israeli help...

 

[pakpride00090]

Can any computer literate guy please explain this like I am a 5 year old ?

 

[SQ8]

There are “khoofia” programs running independently within Pakistani agencies but no concepts of cybersecurity are truly being practiced. The really sensitive ares are completely air gapped - that is the end of any hacking discussion on them but there is still plenty’s of critical infrastructure and proverbial dadoos in the Pakistani state whose IT security is passwords like Lahore123z

 

[TheSolution]

Can any computer literate guy please explain this like I am a 5 year old ?

Indian hackers are sending (fake) e-mails which look real, and contain viruses that allow them to monitor everything on the person's computer, to Pakistani organisations.

The screenshots are the Indian's computer screen because he supposedly infected himself too.

 

[TheSnakeEatingMarkhur]

I think we did open a cyber security academy a year ago didn't we?

Loading...

Are they getting uni and onward students or kids from school.

Because many old people in charge do not want to give young people positions of power. They also have a superiority complex and think young people are less capable because of their age.


I would use this type of software often but PTA has blocked VPN, making it very easy to trace the attacker. This deters a lot of people from getting into this sort of stuff. Meanwhile Indians on twitter who hack Pakistani orgs get recruited by the government:
View attachment 807949

This guy was a joke running after clout all of his assets were caught and he has been inactive since. Posted only once after that