PatchWork Group accidentally infected its own systems with Ragnatela Trojan

Security researchers have noticed that an Indian cyber-espionage hack group known as PatchWork (or Dropping Elephant, Chinastrats, or Quilted Tiger) has infected its own systems with the Ragnatela Trojan.

Ang PatchWork group has been active since at least December 2015, and earlier experts have already noted that hackers use code copied from others.

During the latest PatchWork campaign, which ran from late November to early December 2021, Malwarebytes Labs observed that attackers used malicious RTF documents posing as Pakistani officials and infected their target systems with a new variant of BADNEWS RAT known as Ragnatela.

Ragnatela RAT is able to execute commands necessary for hackers, take screenshots, intercept keystrokes, collect confidential files and lists of running applications on the infected machine, deploy additional paylods and steal files.

Ironically, all the information that we were able to collect came from the fact that the attackers infected themselves with this RAT, as a result of which their keystrokes and screenshots were captured from their own computer and virtual machines.says Malwarebytes Labs.

Infected own systems with Ragnatela

After discovering that the PatchWork operators had infected their own systems with malware, the researchers were able to track them using VirtualBox and VMware and collect more data on APT activity. Observing the group’s operations, experts gathered information on the targets of hackers, including the Pakistani Ministry of Defense, as well as professors in molecular medicine and biological sciences at several universities (including Pakistan’s National Defense University, UVAS University Biology Department, Karachi University and SHU University).

The group uses virtual machines and VPNs to develop, send updates, and probe their victims. PatchWork, like other East Asian APTs, is not as difficult as their Russian and North Korean counterparts.the analysts conclude.

Let me remind you that recently we talked about another curious case when Conti ransomware fell victim to a data leak.

You may also be interested to read about Rook’s new ransomware is that based on Babuk source code.

Helga Smith

Kanunay kong interesado sa siyensya sa kompyuter, ilabi na ang seguridad sa datos ug ang tema, nga gitawag karon "siyensya sa datos", sukad pa sa akong pagkabatan-on. Sa wala pa mosulod sa Virus Removal team isip Editor-in-chief, Nagtrabaho ko isip eksperto sa cybersecurity sa daghang kompanya, lakip ang usa sa mga kontraktor sa Amazon. Laing kasinatian: Naa koy pagtudlo sa mga unibersidad sa Arden ug Reading.

Pagbilin ug Tubag

Kini nga site naggamit sa Akismet aron makunhuran ang spam. Hibal-i kung giunsa ang pagproseso sa data sa imong komento.

Balik sa ibabaw nga buton