A beforehand unknown menace actor dubbed NewsPenguin has been linked to a phishing marketing campaign focusing on Pakistani entities by leveraging the upcoming worldwide maritime expo as a lure.
“The attacker despatched out focused phishing emails with a weaponized doc connected that purports to be an exhibitor handbook for PIMEC-23,” the BlackBerry Analysis and Intelligence Crew stated.
PIMEC, quick for Pakistan Worldwide Maritime Expo and Convention, is an initiative of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with an goal to “bounce begin improvement within the maritime sector.” It is scheduled to be held from February 10-12, 2023.
The Canadian cybersecurity firm stated the assaults are designed to focus on marine-related entities and the occasion’s guests by tricking the message recipients into opening the seemingly innocent Microsoft Phrase doc.
As soon as the doc is launched, a way known as distant template injection is employed to fetch the next-stage payload from an actor-controlled server that is configured to return the artifact provided that the request is shipped from an IP tackle positioned in Pakistan.
BlackBerry stated it discovered the server to be internet hosting two ZIP archive recordsdata sans any password protections, one among which features a Home windows executable (updates.exe) that capabilities as a covert spying device able to bypassing sandboxes and digital machines.
What’s extra, the contents of the binary are encrypted with the XOR encryption algorithm, the place the XOR secret is “penguin.” The HTTP response containing the backdoor additionally comes with the identify parameter within the Content material-Disposition response header set to “getlatestnews.”
The identify NewsPenguin is a reference to the unusual XOR key and the identify parameter, with BlackBerry discovering no tactical overlaps that join the malware to any currently-known menace actor or group.
An evaluation of the area internet hosting the payloads exhibits that it has been registered since June 30, 2022, indicating some stage of advance planning for the marketing campaign whereas concurrently taking steps to iterate its toolset.
“Because the goal is an occasion run by the Pakistan Navy, it implies that the menace actor is actively focusing on authorities organizations, fairly than this being a financially motivated assault,” BlackBerry stated.