Patchwork, an Indian hacking group also known by such bizarre names as Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, has proven the old adage that to err is human, but to really cock things up you need to be a cybercriminal.
The hackers, who have become notorious for launching spear phishing attacks against Pakistani institutions, managed to infect themselves with their own Remote Access Trojan (RAT) in January, according to experts at Malwarebytes.
In a blog post, security researchers at Malwarebytes describes how it found a new variant of the BADNEWS RAT (which it dubbed Ragnatela) being launched via spear phishing emails which pretended to come from the Pakistani authorities.
Investigations by the researchers uncovered that a number of Pakistani institutions had been successfully compromised by the RAT:
- Ministry of Defense – Government of Pakistan
- National Defense University of Islam Abad
- Faculty of Bio-Science, UVAS University, Lahore, Pakistan
- International center for chemical and biological sciences
- HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
- SHU University, Molecular medicine
However, it was also discovered that the hacking group had managed to also infect its own development machine, and the RAT had captured the criminals’ own keystrokes alongside screenshots of their own computers.
Malwarebytes researchers were able to unearth that the hackers were running both VirtualBox and VMware on their computers, with both English and Indian keyboard layouts setup.
Furthermore, with some bemusement, the researchers found the Patchwork group’s computer was reporting the weather at the time to be “cloudy with 19 degrees and that they haven’t updated their Java yet.”
Tut tut. Surely every savvy cybercriminal should understand the importance of keeping up-to-date with their security patches?
All hope is not lost, however. It appears that the hackers use the VPNs CyberGhost and VPN Secure in an attempt to hide their IP address when logging into their victims’ email accounts. So at least they’re trying to not be entirely incompetent.
Malwarebytes says that this is the first time it has seen the Patchwork hacking group, which has been active since 2015, targeting molecular medicine and biological science researchers.