NewsPenguin phishing attack targets maritime and military secrets
According to Blackberry researchers, a new phishing campaign dubbed “NewsPenguin” has been targeting Pakistan’s military-industrial complex for months, using an advanced malware tool to steal sensitive information. The campaign, which is believed to be state-sponsored, has been running since at least December 2022.
“The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23,” the BlackBerry Research and Intelligence Team said.
PIMEC, which stands for Pakistan International Maritime Expo and Conference, is a Pakistan Navy initiative organized by the Ministry of Maritime Affairs with the goal of “jump starting development in the maritime sector.” The campaign appeared to be more concerned with gathering intelligence and exfiltrating information than with causing immediate harm to the victims.
The campaign employs sophisticated toolsets designed to avoid detection by traditional security measures. The malware and remote access trojans (RATs) in the toolset were used to gain access to victims’ systems and steal sensitive data. Newspenguin’s various techniques for evading detection, such as using encrypted payloads and dynamically generating domains for command and control (C2) communication.
The attackers used malware from the “Zodiac” family, which is known for its ability to avoid detection by antivirus software. In addition, the attackers used “IceLog,” a keylogger used to steal sensitive information, and “Gh0stRAT,” a remote access tool that allowed the attackers to take control of the victim’s system. The attackers are also employing Glacier malware, which is designed to avoid detection by traditional antivirus solutions.
While Blackberry researchers believe Newspenguin is using a new malware strain known as “PenguSpy.” This malware is designed to avoid detection and gather intelligence from infected systems, including password theft and screenshot capture.
It includes a “Important Document.doc” document that uses a remote template injection technique. When the target opens it, it retrieves the next stage sample from hxxp[:]/windowsupdates[.]shop/test[.]dotx. The domain had resolved to 51.222.103[.] by the time we discovered it. 8. The malicious payload server is configured to only return the file if the user’s IP address is within the Pakistan IP range. When the victim clicks “Enable Content,” a VBA macro code is executed. The malicious VBA macro code saves the “test.dotx” file as “abc.wsf” in the user’s “C:WindowsTasks” folder.
The script then determines whether the infected machine is running Windows® 7 or 10 and saves the version as a job name for the next instruction.
The sources for this piece include an article in DarkReading.
Watch this news on our Youtube channel: https://www.youtube.com/watch?v=ycO6hVmt5R4&t=6s