Indian APT exposes its Modus Operandi by infecting their own devices

The IT security researchers at Malwarebytes have published a report revealing details of an ironic incident involving Patchwork APT, an Indian threat actor who exposed their entire operation after infecting their devices with a variant of BADNEWS Remote Administration Trojan (RAT).

The RAT was intended to be used by the group against its adversaries. However, the incident allowed researchers to gather information about the new variant, how the group functions, what are its aims and targets.

Ragnatela RAT + its capabilities

Dubbed Ragnatela which means spider’s web in Italian; the RAT was developed and tested in November last year. According to Malwarebytes Threat Intelligence Team, Ragnatela is capable of taking screenshots, logging keystrokes, collecting a list of files, and running apps, uploading files, and dropping payloads on the targeted devices.

Information collected from infected devices

Although researchers were able to collect information on Patchwork APT’s Modus Operandi, additional details revealed that the group uses VPN Secure and CyberGhost VPN to mask its IP address.

Furthermore, researchers were able to witness VirtualBox and VMware used by the threat actor for testing and development of its malicious software. 

Capabilities of Ragnatela – The keyboard used by the main host shows

Read More: