A previously unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities using the upcoming International Maritime Expo as a decoy. “The attacker sent targeted phishing emails with an armed document that purports to be an exposure manual for PIMEC-23,” BlackBerry’s Research and Intelligence team said. said. PIMECshort for Pakistan International Maritime Expo and Conference, is a initiative of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with the aim of “initiating the development of the maritime sector”. It should be held from February 10 to 12, 2023. The Canadian cybersecurity firm said the attacks are designed to target Navy-related entities and event visitors by tricking message recipients into opening the seemingly innocuous Microsoft Word document. Once the document is launched, a method called remote model injection is used to retrieve the next stage payload from an actor-controlled server that is configured to return the artifact only if the request is sent from an IP address located in Pakistan. BlackBerry said it discovered the server hosted two ZIP archive files without any password protection, one of which includes a Windows executable (updates.exe) that functions as a secret spy tool capable of bypassing bins sand and virtual machines. In addition, the content of the binary is encrypted with the XOR encryption algorithm, where the XOR key is “penguin”. The HTTP response containing the backdoor is also provided with the name parameter in the Content-Disposition Response Header set to “getlatestnews”. The NewsPenguin name refers to the uncommon XOR key and name parameter, with BlackBerry finding no tactical overlap that ties the malware to a currently known threat actor or group. An analysis of the domain hosting the payloads shows that it has been registered since June 30, 2022, indicating some level of pre-planning for the campaign while simultaneously taking steps to iterate its toolset. “As the target is an event organized by the Pakistan Navy, this implies that the threat actor is actively targeting government organizations, rather than this being a financially motivated attack,” BlackBerry said. Did you find this article interesting ? follow us on Twitter  And LinkedIn to read more exclusive content that we publish.

