The Ragnatela RAT is a new Remote Access Trojan with advanced capabilities. After analyzing the threat, infosec researchers determined that it is a new variant based on the previously known BADNEWS RAT. Ragnatela is equipped with a large range of intrusive capabilities allowing the attackers to execute both cyber-espionage schemes or escalate the attack to suit their current objectives. As such, the RAT is can establish keylogging and screen-capture routines, execute arbitrary commands on the system, target chosen files and transmit them to the attackers, fetch and initiate additional threatening payloads and more.
Ragnatela and PatchWork
The Ragnatela RAT is attributed and observed as part of the attack operations carried out by the established APT group PatchWork. The threat was hidden and deployed through weaponized RTF documents that acted as a lure for the targeted victims by posing as being associated with the Pakistani authorities.
The PatchWork hackers are believed to have ties to India and are typically involved in data theft and cyber-espionage operations. THe infosec community also tracks this group under the Dropping Elephant, Chinastrats or Quilted Tiger names. Their campaign took place between November and December 2021 and was uncovered by the infosec experts solely because of the Ragnatela RAT.
The hackers failed to protect their own computers sufficiently and infected themselves with the RAT accidentally. This incident reinforces the argument that East Asian APTs are operating at a less sophisticated level than their counterparts from Russia or North Korea.
Victims and Past Attacks
During the Ragnatela operation, PatchWork was able to compromise several high-profile targets. It infected Pakistan's Ministry of Defense, as well as several faculty members of different universities working in the molecular medicine and biological science fields. The victims were from the UVAS University, SHU University, the Karachi HEJ Research Institute, and the National Defense University of Islam Abad.
In the past, PatchWork has targeted entities from all across the globe. In March 2018, the group run multiple spear-phishing campaigns against several US think tanks, while back in 2016 they went after employees of a European government organization. Again in 2018, PatchWork employed corrupted documents carrying the BADNEWS RAT against multiple targets in South Asia.