Indian cybercriminal group Patchwork (also known as Dropping Elephant and Chinastrats) accidentally infected one of its computers with its own malware during one of their malware campaigns. This allowed cybersecurity researchers to gain insight into their operations.
Patchwork has been active since at least 2015 and is known for attacking military and political figures around the world, with a particular focus on organizations in Pakistan. In November-December 2021, the group attacked the Ministry of Defense of Pakistan with a developed new variant of a remote access trojan (RAT) called Ragnatela. To distribute it, the attackers used phishing emails with malicious RTF files, allegedly sent by the Pakistani authorities.
Indian hackers accidentally infected their own computer with their own virus
Once in the system, Ragnatela allows attackers to gain remote access to the device, in particular, execute commands, list files on the system, list running applications, take screenshots, log keystrokes.
During the hacking campaign, the attackers successfully compromised the data of some users in the Ministry of Defense of Pakistan, but made a mistake and also infected their computer system with the new RAT, giving cybersecurity experts the opportunity to monitor them through their own software.
It’s ironic that all the information we’ve been able to collect comes from the fact that the attackers infected themselves with this RAT, resulting in their keystrokes and screenshots from their own computer and virtual machines being captured,” says Malwarebytes Labs.
The gang uses virtual machines and VPNs to develop, push updates, and check the systems of its victims. Patchwork, like some other East Asian APTs, is not as complex as their Russian and North Korean counterparts, the experts noted.