A previously unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.
“The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23,” the BlackBerry Research and Intelligence Team said.
PIMEC, short for Pakistan International Maritime Expo and Conference, is an initiative of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with an aim to “jump start development in the maritime sector.” It’s scheduled to be held from February 10-12, 2023.
The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event’s visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document.
Once the document is launched, a method called remote template injection is employed to fetch the next-stage payload from an actor-controlled server that’s configured to return the artifact only if the request is sent from an IP address located in Pakistan.
BlackBerry said it found the server to be hosting two ZIP archive files sans any password protections, one of which includes a Windows executable (updates.exe) that functions as a covert spying tool capable of bypassing sandboxes and virtual machines.
Dmitry Bestuzhev, a threat researcher at BlackBerry, told The Hacker News that the backdoor has been written from scratch in a manner that’s tailored to this campaign.
“The threat actor behind it made a special effort to fly under the radar by being undetected,” Bestuzhev said. “For example, between each request, there is a five minute delay. That’s to lessen the risk of being uncovered.”
“The implant includes self-deletion commands in case of exposure or when the op is finalized. It also contains commands for data transfer, deleting other files, and executing/running other apps in the victim’s system. It looks for files in the system, gathers information about them, and uploads them to the remote server if the files are interesting. It’s designed to steal sensitive files on the victim’s disk.”
What’s more, the contents of the binary are encrypted with the XOR encryption algorithm, where the XOR key is “penguin.” The HTTP response containing the backdoor also comes with the name parameter in the Content-Disposition response header set to “getlatestnews.”
The name NewsPenguin is a reference to the uncommon XOR key and the name parameter, with BlackBerry finding no tactical overlaps that connect the malware to any currently-known threat actor or group.
An analysis of the domain hosting the payloads shows that it has been registered since June 30, 2022, indicating some level of advance planning for the campaign while simultaneously taking steps to iterate its toolset.
“As the target is an event run by the Pakistan Navy, it implies that the threat actor is actively targeting government organizations, rather than this being a financially motivated attack,” BlackBerry said.
“It appears that the goal of this campaign is to find and steal the most interesting files containing information about the theme of the conference, people’s networking, and technologies presented there,” Bestuzhev added.