Hacking group accidentally infects itself with Remote Access Trojan horse

Oh dear. What a shame. Never mind.

Graham Cluley
Graham Cluley
@[email protected]

Hacking group accidentally infects itself with Remote Access Trojan horse

Patchwork, an Indian hacking group also known by such bizarre names as Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, has proven the old adage that to err is human, but to really cock things up you need to be a cybercriminal.

The hackers, who have become notorious for launching spear phishing attacks against Pakistani institutions, managed to infect themselves with their own Remote Access Trojan (RAT) in January, according to experts at Malwarebytes.

In a blog post, security researchers at Malwarebytes describes how it found a new variant of the BADNEWS RAT (which it dubbed Ragnatela) being launched via spear phishing emails which pretended to come from the Pakistani authorities.

Malicious document

Investigations by the researchers uncovered that a number of Pakistani institutions had been successfully compromised by the RAT:

  • Ministry of Defense – Government of Pakistan
  • National Defense University of Islam Abad
  • Faculty of Bio-Science, UVAS University, Lahore, Pakistan
  • International center for chemical and biological sciences
  • HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
  • SHU University, Molecular medicine

However, it was also discovered that the hacking group had managed to also infect its own development machine, and the RAT had captured the criminals’ own keystrokes alongside screenshots of their own computers.

Malwarebytes researchers were able to unearth that the hackers were running both VirtualBox and VMware on their computers, with both English and Indian keyboard layouts setup.

Furthermore, with some bemusement, the researchers found the Patchwork group’s computer was reporting the weather at the time to be “cloudy with 19 degrees and that they haven’t updated their Java yet.”

Tut tut. Surely every savvy cybercriminal should understand the importance of keeping up-to-date with their security patches?

Sign up to our free newsletter.
Security news, advice, and tips.

All hope is not lost, however. It appears that the hackers use the VPNs CyberGhost and VPN Secure in an attempt to hide their IP address when logging into their victims’ email accounts. So at least they’re trying to not be entirely incompetent.

Malwarebytes says that this is the first time it has seen the Patchwork hacking group, which has been active since 2015, targeting molecular medicine and biological science researchers.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.