Maritime-related Entities in Pakistan Target in Espionage Campaign
Category: Threat Actor Activity | Industries: Government, Maritime | Level: Tactical | Source: BlackBerry
An active phishing campaign uses the Pakistan International Maritime Expo and Conference (PIMEC) as a lure to deliver a weaponized Word document masquerading as a guide for the conference. PIMEC is organized by the Ministry of Maritime Affairs and is scheduled to run from February 10th to 12th, 2023. The campaign is reported by BlackBerry's Research & Intelligence Team tracking the threat actor behind the attack as 'NewsPenguin.' Cyberespionage is deemed as the campaign's primary objective with no financial motivations. Currently, no attribution can be made for NewsPenguin to a particular threat group however, BlackBerry suspects NewsPenguin to be associated with a nation-state.
The themes and lures leveraged by NewsPenguin suggest the actor is after data from "Pakistani companies manufacturing military technologies, nation-states, and military forces," in addition to "organizers and those attending the Pakistan International Maritime Expo & Conference, especially the exhibitors." When the weaponized Word document is opened, remote template injection is triggered to download the next-stage payload only if the victim's IP address is registered in Pakistan. A VBA macro, when triggered sets persistence and leads to the download of several payloads including an undocumented espionage tool. A review of NewsPenguin's network infrastructure discovered domains registered as early as June 2022, indicating the threat actor has been prepping for the attack.
- Malicious File Delivering Malware
Anvilogic Use Cases:
- Malicious Document Execution
- Office Binary Download Remote File
- Network Connection with Suspicious Folder