PatchWork Group accidentally infected its own systems with Ragnatela Trojan

Security researchers have noticed that an Indian cyber-espionage hack group known as PatchWork (or Dropping Elephant, Chinastrats, or Quilted Tiger) has infected its own systems with the Ragnatela Trojan.

Các PatchWork group has been active since at least December 2015, and earlier experts have already noted that hackers use code copied from others.

During the latest PatchWork campaign, which ran from late November to early December 2021, Malwarebytes Labs observed that attackers used malicious RTF documents posing as Pakistani officials and infected their target systems with a new variant of BADNEWS RAT known as Ragnatela.

Ragnatela RAT is able to execute commands necessary for hackers, take screenshots, intercept keystrokes, collect confidential files and lists of running applications on the infected machine, deploy additional paylods and steal files.

Ironically, all the information that we were able to collect came from the fact that the attackers infected themselves with this RAT, as a result of which their keystrokes and screenshots were captured from their own computer and virtual machines.says Malwarebytes Labs.

Infected own systems with Ragnatela

After discovering that the PatchWork operators had infected their own systems with malware, the researchers were able to track them using VirtualBox and VMware and collect more data on APT activity. Observing the group’s operations, experts gathered information on the targets of hackers, including the Pakistani Ministry of Defense, as well as professors in molecular medicine and biological sciences at several universities (including Pakistan’s National Defense University, UVAS University Biology Department, Karachi University and SHU University).

The group uses virtual machines and VPNs to develop, send updates, and probe their victims. PatchWork, like other East Asian APTs, is not as difficult as their Russian and North Korean counterparts.the analysts conclude.

Let me remind you that recently we talked about another curious case when Conti ransomware fell victim to a data leak.

You may also be interested to read about Rook’s new ransomware is that based on Babuk source code.

Helga Smith

Tôi luôn quan tâm đến khoa học máy tính, đặc biệt là bảo mật dữ liệu và chủ đề, được gọi là ngày nay "khoa học dữ liệu", kể từ khi tôi còn ở tuổi thiếu niên. Trước khi vào nhóm Diệt Virus với vai trò Tổng biên tập, Tôi đã làm việc với tư cách là chuyên gia an ninh mạng tại một số công ty, bao gồm một trong những nhà thầu của Amazon. Một trải nghiệm khác: Tôi đã nhận được đang giảng dạy tại các trường đại học Arden và Reading.

Gửi phản hồi

Website này sử dụng Akismet để hạn chế spam. Tìm hiểu bình luận của bạn được duyệt như thế nào.

Nút quay lại đầu trang