Hacking group accidentally infects itself with Remote Access Trojan horse

Oh dear. What a shame. Never mind.

Graham Cluley
@gcluley

Hacking group accidentally infects itself with Remote Access Trojan horse

Patchwork, an Indian hacking group also known by such bizarre names as Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, has proven the old adage that to err is human, but to really cock things up you need to be a cybercriminal.

The hackers, who have become notorious for launching spear phishing attacks against Pakistani institutions, managed to infect themselves with their own Remote Access Trojan (RAT) in January, according to experts at Malwarebytes.

In a blog post, security researchers at Malwarebytes describes how it found a new variant of the BADNEWS RAT (which it dubbed Ragnatela) being launched via spear phishing emails which pretended to come from the Pakistani authorities.

Investigations by the researchers uncovered that a number of Pakistani institutions had been successfully compromised by the RAT:

  • Ministry of Defense – Government of Pakistan
  • National Defense University of Islam Abad
  • Faculty of Bio-Science, UVAS University, Lahore, Pakistan
  • International center for chemical and biological sciences
  • HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
  • SHU University, Molecular medicine

However, it was also discovered that the hacking group had managed to also infect its own development machine, and the RAT had captured the criminals’ own keystrokes alongside screenshots of their own computers.

Malwarebytes researchers were able to unearth that the hackers were running both VirtualBox and VMware on their computers, with both English and Indian keyboard layouts setup.

Furthermore, with some bemusement, the researchers found the Patchwork group’s computer was reporting the weather at the time to be “cloudy with 19 degrees and that they haven’t updated their Java yet.”

Tut tut. Surely every savvy cybercriminal should understand the importance of keeping up-to-date with their security patches?

Sign up to our newsletter
Security news, advice, and tips.

All hope is not lost, however. It appears that the hackers use the VPNs CyberGhost and VPN Secure in an attempt to hide their IP address when logging into their victims’ email accounts. So at least they’re trying to not be entirely incompetent.

Malwarebytes says that this is the first time it has seen the Patchwork hacking group, which has been active since 2015, targeting molecular medicine and biological science researchers.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.