March 25, 2023

Researchers have spotted a espionage campaign from a novel threat actor called NewsPenguin against Pakistan’s military-industrial complex for months, using an advanced malware tool.

PIMEC (Pakistan International Maritime Expo) a Pakistan navy initiative that will provide opportunities to maritime industry both in public and private sectors to display products and develop business relationships. The event will also highlight Pakistan’s Maritime potential and provide the desired fillip for economic growth at national level.

NewsPenguin attracts its victims using spear-phishing emails with an attached Word document, purporting to be an “Exhibitor Manual” for the PIMEC conference. The file name was quite a red flag “Important Document.doc” referring directly to the event.

Advertisements

The document first opens in a protected view. The victim must then click “enable content” to read the document, which triggers a remote template injection attack. The attack involves a remote template injection attack that avoids easy detection by planting malware not in a document but in its associated template. This will bypass email protection systems and EDR solutions.  

The macros lie outside of the victim’s infrastructure. That way, the traditional products built to protect the endpoint and internal systems won’t be effective. The payload is an executable with no differentiating name, referred to as updates.exe.

The NewsPenguin malware also performs a series of actions to check whether it’s deploying in a virtual machine or sandbox for escaping from getting caught.

The domains associated with the campaign were registered all the way back in June and October of last year, despite PIMEC is scheduled to happen. The researchers couldn’t connect NewsPenguin to any known threat actors. That said, the group has already been working for some time now.

Advertisements

This research was documented by researchers from Blackberry.

Indicators of Compromise

  • 51.222.103[.]8
  • 185.198.59[.]109
  • Windows.20H2.85685475
  • C:\Users\admin\source\repos\BeetleVx\libcurl\processhollow\libcurl\Release\libcurl.pdb
  • 80326b1e151e8348307114c8115e275c2fd63f0d2eb1dfacb6eca9840cf98525
  • 26b113ba29b037034ee34a7f0fea81f6d5452950e0d26058d9b96946d78570c5
  • facb0bfb3123540415b28881bcf951b29ccdd3abace54747d76f19017e80e8d9
  • b4e22ffcaa349618342a933c2cc72896e8273c2095a1f232d7e34b119f485595
  • 3F9FAC91288139F81D4949CD5DADDC131AA3443D2A8631093D971B2EBDE6AE77
  • 55F43319B910037D5B2EB8A5E57A14FCA88E22BB0F40E453E510CC375A42BF43
  • EA732F213FCFC27E386471C290A342B7905FF8030888979D8220403A94D2CDCD
  • 4C003C63F1A7C6D2EAEEB18D37B3EE824C82E1C0C44458A9510EF28C265962C6
  • 538BB2540AAD0DCB512C6F0023607382456F9037D869B4BF00BCBDB18856B338
  • hXXp[:]//windowsupdates[.]shop/test[.]dotx
  • updates.win32[.]live       
Tags:

Leave a Reply

You may have missed

Nexus Android Banking Trojan

Nexus Android Banking Trojan

March 25, 2023
CISA Releases Untitled Goose Tool

CISA Releases Untitled Goose Tool

March 25, 2023
Critical Vulnerability in Woocommerce Payment Plugin

Critical Vulnerability in Woocommerce Payment Plugin

March 25, 2023
Cl0P Ransomware havoc with GoAnywhere MFT Exploit

Cl0P Ransomware havoc with GoAnywhere MFT Exploit

March 25, 2023
CISA Pre Ransomware Notification Initiative

CISA Pre Ransomware Notification Initiative

March 25, 2023
Github seizes Exposed RSA SSH Key

Github seizes Exposed RSA SSH Key

March 24, 2023
%d bloggers like this: