PatchWork Group infekterade av misstag sina egna system med Ragnatela Trojan

Security researchers have noticed that an Indian cyber-espionage hack group known as PatchWork (or Dropping Elephant, Chinastrats, or Quilted Tiger) has infected its own systems with the Ragnatela Trojan.

De PatchWork group has been active since at least December 2015, and earlier experts have already noted that hackers use code copied from others.

During the latest PatchWork campaign, which ran from late November to early December 2021, Malwarebytes Labs observed that attackers used malicious RTF documents posing as Pakistani officials and infected their target systems with a new variant of BADNEWS RAT known as Ragnatela.

Ragnatela RAT is able to execute commands necessary for hackers, take screenshots, intercept keystrokes, collect confidential files and lists of running applications on the infected machine, deploy additional paylods and steal files.

Ironically, all the information that we were able to collect came from the fact that the attackers infected themselves with this RAT, as a result of which their keystrokes and screenshots were captured from their own computer and virtual machines.says Malwarebytes Labs.

Infekterade egna system med Ragnatela

After discovering that the PatchWork operators had infected their own systems with malware, the researchers were able to track them using VirtualBox and VMware and collect more data on APT activity. Observing the group’s operations, experts gathered information on the targets of hackers, including the Pakistani Ministry of Defense, as well as professors in molecular medicine and biological sciences at several universities (including Pakistan’s National Defense University, UVAS University Biology Department, Karachi University and SHU University).

The group uses virtual machines and VPNs to develop, send updates, and probe their victims. PatchWork, like other East Asian APTs, is not as difficult as their Russian and North Korean counterparts.the analysts conclude.

Let me remind you that recently we talked about another curious case when Conti ransomware fell victim to a data leak.

You may also be interested to read about Rook’s new ransomware is that based on Babuk source code.

Helga Smith

Jag var alltid intresserad av datavetenskap, särskilt datasäkerhet och temat, som kallas nuförtiden "datavetenskap", sedan mina tidiga tonåringar. Innan du kommer in i Virusborttagningsteamet som chefredaktör, Jag arbetade som cybersäkerhetsexpert i flera företag, inklusive en av Amazons entreprenörer. En annan upplevelse: Jag har undervisning vid universitet i Arden och Reading.

Lämna ett svar

Denna webbplats använder Akismet att minska mängden skräppost. Lär dig hur din kommentar data bearbetas.

Tillbaka till toppen