A novel threat actor that researchers have dubbed “NewsPenguin” has been conducting an espionage campaign against Pakistan’s military-industrial complex for months, using an advanced malware tool.
In a blog post on Feb. 9, researchers from Blackberry revealed how this group carefully planned out a phishing campaign targeting visitors to the upcoming Pakistan International Maritime Expo & Conference (PIMEC).
PIMEC will take place over the course of this coming weekend. It is a Pakistan navy initiative that, according to a government press release, “will provide opportunities to maritime industry both in public and private sectors to display products and develop business relationships. The event will also highlight Pakistan’s Maritime potential and provide the desired fillip for economic growth at national level.”
Attendees at PIMEC include nation-states, militaries, and military manufacturers, among others. That fact, combined with NewPenguin’s use of a bespoke phishing lure and other contextual details of the attack, led the researchers to conclude “that the threat actor is actively targeting government organizations.”
How NewsPenguin Goes Phishing for Data
NewsPenguin attracts its victims using spear-phishing emails with an attached Word document, purporting to be an “Exhibitor Manual” for the PIMEC conference.
Though the file name was quite a red flag — “Important Document.doc” — its contents appear to be ripped straight from the actual event’s materials, featuring government seals and the same aesthetic as other media published by the organizers.
The document first opens in a protected view. The victim must then click “enable content” to read the document, which triggers a remote template injection attack.
Remote template injection attacks cleverly avoid easy detection by planting malware not in a document but in its associated template. It’s “a special technique that allows the attacks to fly under the radar,” Dmitry Bestuzhev, threat researcher at BlackBerry explains to Dark Reading, “especially for the [email gateways] and endpoint detection and response (EDR)-like products. That’s because the malicious macros are not in the file itself but on a remote server — in other words, outside of the victim’s infrastructure. That way, the traditional products built to protect the endpoint and internal systems won’t be effective.”
NewsPenguin’s Evasion Techniques
The payload at the end of the attack flow is an executable with no differentiating name, referred to in the blog post as “updates.exe.” This never-before-seen espionage tool is perhaps most notable for just how far it goes to resist detection and analysis.
For example, to avoid making any loud noises in a target network environment, the malware operates at a snail’s pace, taking five minutes between each command.
“That delay is intended to not cause too much network activity,” Bestuzhev explains. “It stays as silent as possible, with fewer footprints for detection systems to pick up on.”
The NewsPenguin malware also performs a series of actions to check whether it’s deploying in a virtual machine or sandbox. Cybersecurity professionals like to trap and analyze malware in these environments, which isolate any malicious impacts from the rest of a computer or network. Hackers, in turn, know to avoid these isolated environments if they don’t want to be caught out.
The researchers counted a few different evasive methods in updates.exe, which “includes using GetTickCount” — a Windows function that reports how long it’s been since the system was started up — “to identify sandboxes bypassing sleep functions, checking the hard drive size, and requiring more than 10GB of RAM,” according to the report.
The Morsels That NewsPenguin Wants
The researchers couldn’t connect NewsPenguin to any known threat actors. That said, the group has already been working for some time now.
The domains associated with the campaign were registered all the way back in June and October of last year, despite PIMEC only occurring this weekend.
“Short-sighted attackers usually don’t plan operations so far in advance, and don’t execute domain and IP reservations months before their utilization,” the authors of the report observed. “This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while.”
In that time, the authors added, NewsPenguin has been “continuously improving its tools to infiltrate victim systems.”
Between the premeditated nature of the attack, and the profile of the victims, the bigger picture starts to become clear. “What happens at conference booths?” Bestuzhev asks. “Attendees approach the exhibitors, chat, and exchange contact information, which the booth’s personnel register as leads using simple forms like spreadsheets. The NewsPenguin malware is built to steal that information, and we should note that the whole conference is about military and marine technologies.”