Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label NewsPenguin. Show all posts

NewsPenguin Initiates Phishing Camapaign for Maritime & Military Secrets


Using a sophisticated malware tool, a new threat actor known as "NewsPenguin" has been conducting espionage operations against Pakistan's military-industrial complex for months. 

Researchers from Blackberry detailed how this group meticulously prepared a phishing campaign targeting attendees of the upcoming Pakistan International Maritime Expo & Conference (PIMEC) in a blog post on February 9. 

PIMEC is set to be held over the course of the following weekend. It is a Pakistan navy initiative that will provide opportunities to the maritime industry both in the public and private sectors to display products and develop business relationships. 

"The event will also highlight Pakistan's Maritime potential and provide the desired fillip for economic growth at national level," reads the government press release. "Attendees at PIMEC include nation-states, militaries, and military manufacturers, among others. That fact, combined with NewPenguin's use of a bespoke phishing lure and other contextual details of the attack, led the researchers to conclude "that the threat actor is actively targeting government organizations." 

How NewsPenguin Operates the Phishing Campaign? 

NewsPenguin lures its victims via spear-phishing emails that are apparently attached to a Word document, in a pretense of being an “Exhibitor Manual” for the PIMEC. 

Although this file’s name should have been a warning sign, i.e. “Important Document. doc” its contents— which included official seals and the same aesthetic as other materials released by the event's organizers — appear to have been lifted verbatim from the materials themselves. 

Initially, the document opens in a protected view. To read the page, the victim must then click "enable content," which starts a remote template injection attack. For a fact, Remote template injection attacks ingeniously avoid easy detection by infecting an associate template rather than a document. It is "a special technique that allows the attacks to fly under the radar[…] especially for the [email gateways] and endpoint detection and response (EDR)-like products. That's because the malicious macros are not in the file itself but on a remote server — in other words, outside of the victim's infrastructure. That way, the traditional products built to protect the endpoint and internal systems won't be effective," says Dmitry Bestuzhev, a threat researcher at BlackBerry. 

Evasion Techniques used by NewsPenguin 

The blog post refers to the executable with the generic name "updates.exe" as the payload at the end of the attack flow. The most noteworthy feature of this never-before-seen espionage weapon is how far it goes to avoid notice and scrutiny. 

For instance, in order to evade making any loud noises in the targeted network area, the malware tends to operate at the slowest pace, taking around five minutes before each command. 

Additionally, the NewsPenguin malware initiates a chain of actions to monitor whether it is operating a virtual machine or sandbox. Cybersecurity experts like trapping and analyzing malware in these network environments, isolating any unwanted effects from the rest of a computer or network. 

What does NewsPenguin Want? 

No known threat actors could be linked by the researchers to NewsPenguin. Having said that, the team has been operating for some time. 

Despite PIMEC only taking place this weekend, the domains linked to the campaign were already registered in June and October of last year. 

"Short-sighted attackers usually don't plan operations so far in advance, and don't execute domain and IP reservations months before their utilization[…] This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while," the authors of the report said. 

The authors add that NewsPenguin has been "continuously improving its tools to infiltrate victim systems." 

The broader image begins to emerge due to the attack's premeditation and the victims' profiles. "What happens at conference booths?" Bestuzhev asks. "Attendees approach the exhibitors, chat, and exchange contact information, which the booth's personnel register as leads using simple forms like spreadsheets. The NewsPenguin malware is built to steal that information, and we should note that the whole conference is about military and marine technologies."