According to BlackBerry, a recently discovered cybercriminal group has been attacking military organizations in Pakistan with highly advanced malware.
Dubbed NewsPenguin, the threat actor has been seen sending phishing emails disguised as invitations to the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) to spread weaponized documents that deliver a powerful espionage tool.
Diving into details
The attacker sent out targeted phishing emails claiming to be from an exhibitor of PIMEC-23 with a weaponized document attached.
- The lure document indicates that the primary targets of NewsPenguin include Pakistani companies involved in military technology manufacturing, nation-states, and military forces.
- The document used remote template injection and had malicious VBA macro code embedded, allowing for the next stage in the attack chain.
- This resulted in the execution of a highly advanced espionage tool that was encrypted using XOR encryption with a ‘penguin’ key.
- The HTTP response had a content-disposition response header name parameter set to ‘getlatestnews’.
- Due to this unique combination of the XOR encryption key and the getlatestnews name parameter, the threat actor was named NewsPenguin.
Why this matters
The researchers stated that the goal of the cybercriminal group is solely focused on cyberespionage, with no financial motivation. - They noted that the group's objective is to spy on attendees and organizers of PIMEC-23 as evidenced by the lure document and the nature of the target.
- The group's use of network infrastructure that only deploys parts of the malware on devices with a Pakistani IP address is one of the distinctive features of this campaign.
- This, along with other tactics, is intended to keep the espionage tool out of the hands of researchers. Additionally, the malware has unique capabilities that allow it to bypass whitelisting by attaching itself to legitimate components.
The bottom line
NewsPenguin is a new and highly sophisticated threat actor focused on targeting Pakistani users and attendees of PIMEC-2023. The group has shown a high level of preparation and planning for this campaign, continually improving its tools. The advanced planning to build network infrastructure months prior to the event is uncommon among criminal organizations. The fact that the target of the attack is an event run by the Pakistan Navy suggests that NewsPenguin is specifically targeting government organizations, rather than pursuing financial motives.