Security News > 2022 > January > Oops: Cyberspies infect themselves with their own malware
After infecting themselves with their own custom remote access trojan, an Indian-linked cyber-espionage group has accidentally exposed its operations to security researchers.
During PatchWork's most recent campaign, between late November to early December 2021, Malwarebytes Labs observed the threat actors using malicious RTF documents impersonating Pakistani authorities to infect targets with a new variant of the BADNEWS RAT, known as Ragnatela.
The Ragnatela RAT allows the threat actors to execute commands, capture screen snapshots, log keystrokes, harvest sensitive files and a list of running apps, deploy additional payloads, and upload files.
"Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines," Malwarebytes Labs' Threat Intelligence Team explained.
"Thanks to data captured by the threat actor's own malware, we were able to get a better understanding about who sits behind the keyboard," Malwarebytes Labs added.
PatchWork operators have previously targeted US think tanks in March 2018 in multiple spear-phishing campaigns using the same tactic of pushing malicious RTF files to compromise their victims' systems and a QuasarRAT malware variant.