Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

NewsPenguin Threat Actor Emerges with Malicious Campaign Targeting Pakistani Entities

Feb 09, 2023Ravie LakshmananCyber Attack / Cyber Threat

A previously unknown threat actor dubbed NewsPenguin has been linked to a phishing campaign targeting Pakistani entities by leveraging the upcoming international maritime expo as a lure.

“The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23,” the BlackBerry Research and Intelligence Team said.

PIMEC, short for Pakistan International Maritime Expo and Conference, is an initiative of the Pakistan Navy and is organized by the Ministry of Maritime Affairs with an aim to “jump start development in the maritime sector.” It’s scheduled to be held from February 10-12, 2023.

The Canadian cybersecurity company said the attacks are designed to target marine-related entities and the event’s visitors by tricking the message recipients into opening the seemingly harmless Microsoft Word document.

Once the document is launched and macros are enabled, a method called remote template injection is employed to fetch the next-stage payload from an actor-controlled server that’s configured to return the artifact only if the request is sent from an IP address located in Pakistan.

BlackBerry said it found the server to be hosting two ZIP archive files sans any password protections, one of which includes a Windows executable (updates.exe) that functions as a covert spying tool capable of bypassing sandboxes and virtual machines.

Dmitry Bestuzhev, a threat researcher at BlackBerry, told The Hacker News that the backdoor has been written from scratch in a manner that’s tailored to this campaign.

“The threat actor behind it made a special effort to fly under the radar by being undetected,” Bestuzhev said. “For example, between each request, there is a five minute delay. That’s to lessen the risk of being uncovered.”

“The implant includes self-deletion commands in case of exposure or when the op is finalized. It also contains commands for data transfer, deleting other files, and executing/running other apps in the victim’s system. It looks for files in the system, gathers information about them, and uploads them to the remote server if the files are interesting. It’s designed to steal sensitive files on the victim’s disk.”

What’s more, the contents of the binary are encrypted with the XOR encryption algorithm, where the XOR key is “penguin.” The HTTP response containing the backdoor also comes with the name parameter in the Content-Disposition response header set to “getlatestnews.”

The name NewsPenguin is a reference to the uncommon XOR key and the name parameter, with BlackBerry finding no tactical overlaps that connect the malware to any currently-known threat actor or group.

An analysis of the domain hosting the payloads shows that it has been registered since June 30, 2022, indicating some level of advance planning for the campaign while simultaneously taking steps to iterate its toolset.

“As the target is an event run by the Pakistan Navy, it implies that the threat actor is actively targeting government organizations, rather than this being a financially motivated attack,” BlackBerry said.

“It appears that the goal of this campaign is to find and steal the most interesting files containing information about the theme of the conference, people’s networking, and technologies presented there,” Bestuzhev added.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…
GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub's Private RSA SSH Key Mistakenly Exposed in Public Repository

GitHub, a Microsoft subsidiary has replaced its SSH keys after someone inadvertently published its private RSA SSH host key part of…