A
novel
threat
actor
that
researchers
have
dubbed
“NewsPenguin”
has
been
conducting
an
espionage
campaign
against
Pakistan’s
military-industrial
complex
for
months,
using
an
advanced
malware
tool.
In
a
blog
post
on
Feb.
9,
researchers
from
Blackberry
revealed
how
this
group
carefully
planned
out
a
phishing
campaign
targeting
visitors
to
the
upcoming
Pakistan
International
Maritime
Expo
&
Conference
(PIMEC).
PIMEC
will
take
place
over
the
course
of
this
coming
weekend.
It
is
a
Pakistan
navy
initiative
that,
according
to
a
government
press
release,
“will
provide
opportunities
to
maritime
industry
both
in
public
and
private
sectors
to
display
products
and
develop
business
relationships.
The
event
will
also
highlight
Pakistan’s
Maritime
potential
and
provide
the
desired
fillip
for
economic
growth
at
national
level.”
Attendees
at
PIMEC
include
nation-states,
militaries,
and
military
manufacturers,
among
others.
That
fact,
combined
with
NewPenguin’s
use
of
a
bespoke
phishing
lure
and
other
contextual
details
of
the
attack,
led
the
researchers
to
conclude
“that
the
threat
actor
is
actively
targeting
government
organizations.”
How
NewsPenguin
Goes
Phishing
for
Data
NewsPenguin
attracts
its
victims
using
spear-phishing
emails
with
an
attached
Word
document,
purporting
to
be
an
“Exhibitor
Manual”
for
the
PIMEC
conference.
Though
the
file
name
was
quite
a
red
flag
—
“Important
Document.doc”
—
its
contents
appear
to
be
ripped
straight
from
the
actual
event’s
materials,
featuring
government
seals
and
the
same
aesthetic
as
other
media
published
by
the
organizers.
The
document
first
opens
in
a
protected
view.
The
victim
must
then
click
“enable
content”
to
read
the
document,
which
triggers
a
remote
template
injection
attack.
Remote
template
injection
attacks
cleverly
avoid
easy
detection
by
planting
malware
not
in
a
document
but
in
its
associated
template.
It’s
“a
special
technique
that
allows
the
attacks
to
fly
under
the
radar,”
Dmitry
Bestuzhev,
threat
researcher
at
BlackBerry
explains
to
Dark
Reading,
“especially
for
the
[email
gateways]
and
endpoint
detection
and
response
(EDR)-like
products.
That’s
because
the
malicious
macros
are
not
in
the
file
itself
but
on
a
remote
server
—
in
other
words,
outside
of
the
victim’s
infrastructure.
That
way,
the
traditional
products
built
to
protect
the
endpoint
and
internal
systems
won’t
be
effective.”
NewsPenguin’s
Evasion
Techniques
The
payload
at
the
end
of
the
attack
flow
is
an
executable
with
no
differentiating
name,
referred
to
in
the
blog
post
as
“updates.exe.”
This
never-before-seen
espionage
tool
is
perhaps
most
notable
for
just
how
far
it
goes
to
resist
detection
and
analysis.
For
example,
to
avoid
making
any
loud
noises
in
a
target
network
environment,
the
malware
operates
at
a
snail’s
pace,
taking
five
minutes
between
each
command.
“That
delay
is
intended
to
not
cause
too
much
network
activity,”
Bestuzhev
explains.
“It
stays
as
silent
as
possible,
with
fewer
footprints
for
detection
systems
to
pick
up
on.”
The
NewsPenguin
malware
also
performs
a
series
of
actions
to
check
whether
it’s
deploying
in
a
virtual
machine
or
sandbox.
Cybersecurity
professionals
like
to
trap
and
analyze
malware
in
these
environments,
which
isolate
any
malicious
impacts
from
the
rest
of
a
computer
or
network.
Hackers,
in
turn,
know
to
avoid
these
isolated
environments
if
they
don’t
want
to
be
caught
out.
The
researchers
counted
a
few
different
evasive
methods
in
updates.exe,
which
“includes
using
GetTickCount”
—
a
Windows
function
that
reports
how
long
it’s
been
since
the
system
was
started
up
—
“to
identify
sandboxes
bypassing
sleep
functions,
checking
the
hard
drive
size,
and
requiring
more
than
10GB
of
RAM,”
according
to
the
report.
The
Morsels
That
NewsPenguin
Wants
The
researchers
couldn’t
connect
NewsPenguin
to
any
known
threat
actors.
That
said,
the
group
has
already
been
working
for
some
time
now.
The
domains
associated
with
the
campaign
were
registered
all
the
way
back
in
June
and
October
of
last
year,
despite
PIMEC
only
occurring
this
weekend.
“Short-sighted
attackers
usually
don’t
plan
operations
so
far
in
advance,
and
don’t
execute
domain
and
IP
reservations
months
before
their
utilization,”
the
authors
of
the
report
observed.
“This
shows
that
NewsPenguin
has
done
some
advance
planning
and
has
likely
been
conducting
activity
for
a
while.”
In
that
time,
the
authors
added,
NewsPenguin
has
been
“continuously
improving
its
tools
to
infiltrate
victim
systems.”
Between
the
premeditated
nature
of
the
attack,
and
the
profile
of
the
victims,
the
bigger
picture
starts
to
become
clear.
“What
happens
at
conference
booths?”
Bestuzhev
asks.
“Attendees
approach
the
exhibitors,
chat,
and
exchange
contact
information,
which
the
booth’s
personnel
register
as
leads
using
simple
forms
like
spreadsheets.
The
NewsPenguin
malware
is
built
to
steal
that
information,
and
we
should
note
that
the
whole
conference
is
about
military
and
marine
technologies.”
About Author
