Pakistan Targeted by Malicious Campaign from NewsPenguin Threat Actor

On February 9, 2023, the BlackBerry Research and Intelligence Team uncovered a phishing campaign targeting Pakistani entities by leveraging the upcoming Pakistan International Maritime Expo and Conference (PIMEC-23). The attackers sent out targeted emails with a weaponized Microsoft Word document attached, purporting to be an exhibitor manual for the event.

Once opened, the document employs a method called remote template injection to fetch the next-stage payload from an actor-controlled server, configured to return the artifact only if the request is sent from an IP address located in Pakistan. This payload includes a Windows executable (updates.exe) that functions as a covert spying tool capable of bypassing sandboxes and virtual machines. It is encrypted with the XOR encryption algorithm, where the XOR key is “penguin.”

The domain hosting the payloads has been registered since June 30, 2022, indicating some level of advance planning for the campaign while simultaneously taking steps to iterate its toolset. Analysis of the attack reveals that it is targeting government organizations, rather than being a financially motivated attack.

The BlackBerry Research and Intelligence Team has identified the threat actor as NewsPenguin, named after the uncommon XOR key and the name parameter in the Content-Disposition response header. They urge everyone to remain vigilant and protect themselves against such threats.