A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick their victims.
The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23. The document utilizes a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack, which leads to the final payload execution.
The final payload is an advanced espionage tool that is XOR encrypted with a “penguin” encryption key. The content-disposition response header name parameter is set to “getlatestnews” during the HTTP response. Because of this unique XOR key and the name parameter “getlatestnews”, we decided to call this threat actor NewsPenguin.
Pakistan holds an important geopolitical position in the central Asian region. The long-standing tensions in this region have also been reflected in cyberspace.