PatchWork Group accidentally infected its own systems with Ragnatela Trojan

Security researchers have noticed that an Indian cyber-espionage hack group known as PatchWork (or Dropping Elephant, Chinastrats, or Quilted Tiger) has infected its own systems with the Ragnatela Trojan.

The PatchWork group has been active since at least December 2015, and earlier experts have already noted that hackers use code copied from others.

During the latest PatchWork campaign, which ran from late November to early December 2021, Malwarebytes Labs observed that attackers used malicious RTF documents posing as Pakistani officials and infected their target systems with a new variant of BADNEWS RAT known as Ragnatela.

Ragnatela RAT is able to execute commands necessary for hackers, take screenshots, intercept keystrokes, collect confidential files and lists of running applications on the infected machine, deploy additional paylods and steal files.

Ironically, all the information that we were able to collect came from the fact that the attackers infected themselves with this RAT, as a result of which their keystrokes and screenshots were captured from their own computer and virtual machines.says Malwarebytes Labs.

Infected own systems with Ragnatela

After discovering that the PatchWork operators had infected their own systems with malware, the researchers were able to track them using VirtualBox and VMware and collect more data on APT activity. Observing the group’s operations, experts gathered information on the targets of hackers, including the Pakistani Ministry of Defense, as well as professors in molecular medicine and biological sciences at several universities (including Pakistan’s National Defense University, UVAS University Biology Department, Karachi University and SHU University).

The group uses virtual machines and VPNs to develop, send updates, and probe their victims. PatchWork, like other East Asian APTs, is not as difficult as their Russian and North Korean counterparts.the analysts conclude.

Let me remind you that recently we talked about another curious case when Conti ransomware fell victim to a data leak.

You may also be interested to read about Rook’s new ransomware is that based on Babuk source code.

Helga Smith

Ég hafði alltaf áhuga á tölvunarfræði, sérstaklega gagnaöryggi og þemað, sem heitir nú á dögum "gagnafræði", síðan á unglingsárum mínum. Áður en þú kemur inn í teymið til að fjarlægja veirur sem aðalritstjóri, Ég starfaði sem sérfræðingur í netöryggi í nokkrum fyrirtækjum, þar á meðal einn af verktökum Amazon. Önnur upplifun: Ég hef kennt í Arden og Reading háskólunum.

Skildu eftir skilaboð

Þessi síða notar Akismet til að draga úr ruslpósti. Lærðu hvernig ummælagögnin þín eru unnin.

Aftur efst á hnappinn