Dubbed unknown threat actor news penguin It is linked to a phishing campaign targeting Pakistani organizations by using the upcoming International Maritime Expo as a decoy.
According to the BlackBerry Research and Intelligence Team, “Attackers sent targeted phishing emails with weaponized documents purporting to be PIMEC-23 exhibitor manuals.”
PimecPakistan International Maritime Expo and Conference stands for Initiative It is an organization of the Pakistani Navy and is organized by the Ministry of Maritime Affairs with the aim of “starting the development of the maritime sector by leaps and bounds”. It will be held from February 10th to 12th, 2023.
The attack is designed to target marine-related entities and event visitors by tricking message recipients into opening a seemingly harmless Microsoft Word document, according to a Canadian cybersecurity firm. … apparently …
When the document is launched, the next stage is from an attacker-controlled server that is configured to only return artifacts if the request comes from an IP address located in Pakistan, using a method known as remote template injection. Get the payload of
BlackBerry said it discovered that its servers hosted two ZIP archive files without password protection. One of them contains a Windows executable (updates.exe) that acts as an undercover spying tool that can bypass sandboxes and virtual machines.
Additionally, the contents of the binary are encrypted with the XOR encryption algorithm, where the XOR key is “Penguin”. The HTTP response containing the backdoor also comes with a name parameter in the Content-Disposition response header set to “getlatestnews”.
The name NewsPenguin is a reference to an unusual XOR key and name parameter, and BlackBerry has not detected any tactical overlap linking the malware to any currently known attackers or groups.
Analysis of the domain hosting the payload reveals that it has been registered since June 30, 2022. This shows that some pre-planning for the campaign is underway, while steps are being taken to iterate the toolset.
“Because the target is an event operated by the Pakistani Navy, it suggests that the attackers are actively targeting government entities, rather than a financially motivated attack,” BlackBerry said.
