PatchWork APT Hackers Expose Their Systems through Ragnatela RAT
Advanced Persistent Threat (APT) groups are among the most dangerous cybercrime organizations. They usually have a state-of-the-art malware at their disposal, and rely on very advanced attack mechanics to penetrate their victim's systems, without leaving any footprints behind. However, it seems that one of the active APT groups in recent months, PatchWork, has made a huge mistake during their last attack.
The PatchWork APT hackers had been using a piece of malware known as the Ragnatela RAT. They deliver it to victims through malicious email attachments, and their final goal is to gain the ability to execute remote commands, steal files, and spy on their victims. However, for an unknown reason, the hackers also infected their own systems with the Ragnatela RAT. This might sound like a huge problem, but you should remember that all intelligence that this Trojan gathers is sent a command-and-control server.
Ragnatela RAT Logs Revealed PatchWork's Inner Workings
The server in question was compromised by security researchers and this, in turn, allowed them to spy on the PatchWork hackers for an extended period of time. During this operation, security experts were able to gather a lot of information about the PatchWork's attacks, and the arsenal they have at their disposal. This was achieved thanks to obtaining screenshots, keylogger logs, files, documents, communication, and more. Such information is incredibly valuable for malware researchers, as it gives them an entirely new perspective on how APT groups operate.
In this scenario, it would appear that the PatchWork hackers from East Asia are not as advanced from other high-profile APT groups such as those from North Korea and Russia. Regardless of the simpler operations that PatchWork runs, their targets are still very high-profile. The Ragnatela RAT campaign has infected systems belonging to the Pakistan Ministry of Defense, as well as those of various universities.