Login
iscover
Imaginative hackers have used a trade expo hosted by the Pakistan Navy to distribute a powerful piece of spyware.
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The unknown threat group sent out a raft of emails targeted at companies wishing to attend the Pakistan International Maritime Expo & Conference (PIMEC) 2023, with an apparent exhibitor list attached to the email.
Only the list was the delivery mechanism for a malicious payload, specifically targeted at organisations with a Pakistani IP address.
When a user clicks on the document, it asks them to enable macros in the document, which is when the attack begins. The document runs a short script to identify whether a machine is running Windows 7 or Windows 10, then downloads the appropriate files from the threat actor’s command and control infrastructure, the last of which is a previously unknown piece of spyware, that researchers at BlackBerry have dubbed NewsPenguin, after the mode of encryption the software uses and one of its filenames.
NewsPenguin can detect if it’s running in a sandboxed environment, and times its requests back to its C2 servers to avoid detection.
Once up and running, the spyware is capable of listing files in a directory and all processes running on a machine, copying and deleting files, creating hidden directories, and uploading files back to the C2 infrastructure. It can also run further malware tools.
The entire spear phishing campaign seems to have been well thought out, with domains set up well ahead of time, and with a very specific set of targets.
“Based on the lure theme and the nature of the event, Pakistani companies manufacturing military technologies, nation-states, and military forces are highly likely to be the primary target,” BlackBerry’s researchers said in a blog post.
“That includes the organisers and those attending the Pakistan International Maritime Expo & Conference, especially the exhibitors.”
Unfortunately, BlackBerry has been unable to identify the threat actor but has surmised that the motivation behind the campaign is likely not financial, nor based on a simple target of opportunity.
“We consider it highly likely that the attacker is a nation-state or an outsourced team working for a nation-state threat actor.”
Jonathan Jackson, director of engineering BlackBerry, believes the attack should serve as a wake-up call for the region.
“Currently in Australia, we are seeing significant government scrutiny upon tactics being used for surveillance, espionage and cyber security attacks — for good reason,” Jackson said. “This particular instance (NewsPenguin) might not be right in our backyard, but the new find is cause for concern for any government on-watch for potential threats to national security.”
The PIMEC expo ran over the weekend of 10–12 February.
