In recent malware attacks, Patchwork APT group have scored their own goals

Threat hunters have shed light on the Tactics, Techniques, and Procedures (TTP) used by Patchwork as part of a new and prolonged campaign that began in late November 2021 and targeted Pakistani government entities and individuals working in molecular medicine and biological science research.

Patchwork is a cyberespionage group that was discovered for the first time in December of 2015. While the group’s identity has not been confirmed, circumstantial evidence implies a pro-Indian or Indian institution. Patchwork has been seen focusing on industries that deal with diplomacy and government institutions. This group copied and pasted a lot of its code from online forums. In March and April of 2018, Patchwork was also detected conducting spear-phishing efforts against US think tanks.

The notable victims are:

• Pakistan’s Ministry of Defense
• National Defence University of Islamabad
• Faculty of Bio-Sciences at UVAS Lahore
• International Center for Chemical and Biological Sciences (ICCBS)
• H.E.J. Research Institute of Chemistry
• Salim Habib University (SHU) 

“Ironically, all of the information we gathered was made possible by the threat actor infecting themselves with their own [remote access trojan], which resulted in captured keystrokes and screenshots of their own computer and virtual machines,” Malwarebytes Threat Intelligence Team wrote in a report released on Friday.

Malwarebytes has discovered Ragnatela, a new strain of the BADNEWS malware. Operators have the ability to run arbitrary instructions, record keystrokes, and screenshots, browse and upload files, and download more viruses. The threat actor also used the RAT to infect their own development workstation.

The researchers found that while they continue to utilize the same lures and RAT, the group has exhibited an interest in a new target type. “This is the first time we’ve seen Patchwork target molecular medicine and biological science researchers,” says the researcher.