NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool

Summary

A previously unknown threat actor is targeting organizations in Pakistan using a complex payload delivery mechanism. The threat actor abuses the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023) as a lure to trick their victims.

The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23. The document utilizes a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack, which leads to the final payload execution.

The final payload is an advanced espionage tool that is XOR encrypted with a “penguin” encryption key. The content-disposition response header name parameter is set to “getlatestnews” during the HTTP response. Because of this unique XOR key and the name parameter “getlatestnews”, we decided to call this threat actor NewsPenguin.

In this report, we uncover the entire execution chain. We’ve included indicators of compromise (IoCs) for hunting and incidence response.

Brief MITRE ATT&CK Information

Weaponization and Technical Overview

Technical Analysis

Context

Pakistan holds an important geopolitical position in the central Asian region. The long-standing tensions in this region have also been reflected in cyberspace. The Pakistan International Maritime Expo & Conference (PIMEC) runs from February 10th - 12th of 2023, and based on our discoveries, it seems that the threat actor behind NewsPenguin intends to target its visitors.

What is PIMEC?

PIMEC is an initiative of the Pakistan Navy, organized under the patronage of the Ministry of Maritime Affairs. It provides opportunities for the maritime industry both in public and private sectors to display products and develop business relationships. The event will also highlight Pakistan’s maritime potential and provide stimulus for economic growth at a national level.

Attack Vector

NewsPenguin’s attack vector is a weaponized spear-phishing document digitally distributed as an "exhibitor manual" targeting the upcoming event's visitors.

Figure 1: Malicious lure document spread by NewsPenguin via spear-phishing techniques

The “Important Document.doc” document employs a remote template injection technique. Once opened by the target, it fetches the next stage sample from hxxp[:]//windowsupdates[.]shop/test[.]dotx. By the time we discovered it, the domain had resolved to 51.222.103[.]8. The malicious payload server is set up to only return the file if the user is in the Pakistan IP range.

Figure 2: Malicious URL which is instructed to download the next stage of the attack

Once the victim clicks on "Enable Content," it executes a VBA macro code. The malicious VBA macro code saves the "test.dotx" file in the user’s "C:\Windows\Tasks" folder with the name "abc.wsf".

Figure 3: Malicious VBA macro code instructions

The script then checks whether the infected machine is running on Windows® 7 or 10; depending on the version, it saves this as a job name for the next instruction.

Continuing with its execution, the malicious script does the following:

• Invokes “cmd.exe” process
• Adds “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” registry key with:
  • value name: WindowsBoost
  • value data: start a script (abc.wst) to run under a job a name (MyWin7|MyWin10)

Weaponization

The "test.dotx" is a rich text format (RTF) file. Depending on the Windows version (job name value), a payload is dropped from the remote server – 51.222.103[.]8. (That's the same IP address that the "windowsupdates[.]shop" domain resolved to.)

If the user is running Windows 10 (MyWin10), the payload is downloaded from “hxxp[:]//51.222.103[.]8/winint.bat”, and saved under “C:\Windows\Tasks\winint.bat” and then finally executed.  However, if the Windows version is 7 (MyWin7), then the payload is downloaded from “hxxp[:]//51.222.103[.]8/winint crt”, decoded from base64, saved under “C:\Windows\Tasks\winint.crt”, and then finally executed.

Figure 4: The contents of the "test.dotx" file

It is important to note that while the content of “winint.bat” is in plaintext (see figure 5 below), the content of “winint.crt” is the same as “winint.bat” and is encoded in base64.

Figure 5: The contents of winnit.bat

While the curl tool is used to transfer five files from the server, two entries are duplicates (“winupdates”). The file information for this is shown in the table below.

NewsPenguin’s server, located at 51.222.103[.]8, is an open directory. It runs on Apache/2.4.41 (Ubuntu) and includes a folder called "get".

Figure 6: Contents of NewsPenguin’s server, located at 51.222.103[.]8

The "get" folder stores the implants mentioned in the "winint.crt/bat" and two new archives:

Figure 7: "get/" directory contents

The archive called "UIOGIYUGDhuhnuidboefuboeib73489723956809yhduihdf.zip" is an unprotected password archive containing the following three files:

• updates – (MD5: 861B80A75ECFB083C46F6E52277B69A9)
• Taskhostw.exe – (MD5: C219A8C50624F9DD9FC0F3C32510EA77)
• libcurl.dll – (MD5: 8B0BF3F5F0AC4605C8C5EF73EB121757)

The second archive, “uhwuiboiuhfuiaghfiyurghuifhoaruioapfhruioeghuioarehguioerhaguihare.zip”, is also password-free and contains two files:

• updates1 – (MD5: 6DFA9980DFAB53220B893D360E36E09B)
• winupdate – (MD5: 314328E63B2E55A9C20BBDA313AB4D04) – Loader

Loader

The “winint.bat|crt” file downloads four files (one was a duplicate) to the “C:\Users\Public\” location on the victim’s machine. Once that is completed, it executes “start Taskhostw.exe”. The following implants use different filenames but are the same file: “Taskhostw.exe” = winupdates = “smss.exe” = “gup.exe”.

The “Taskhostw.exe” is the “gup.exe” – a legitimate component for Notepad++ that is digitally signed by Notepad++ with a valid certificate that is up to date. ”gup.exe” is used as a generic updater. However, to run correctly, it relies on “libcurl.dll”.

In the “winint.bat” file, we also saw that “winupdate” was saved as “C:\Users\Public\libcurl.dll” on the machine. This file is a modified “libcurl.dll” and is, in fact, a loader for the “updates” module, which resides in the “C:\Users\Public\updates” location on the machine. The contents of “updates” are encrypted with the XOR encryption algorithm, where the XOR key is “penguin”.

Figure 8: XOR encryption routine

Once decrypted, it injects to “C:\Windows\syswow64\explorer.exe”.  

Agent

The decrypted/injected file is a Win32 executable with no name, but we will call it “updates.exe” for the sake of this report.

"Updates.exe" is a new and previously undocumented espionage tool. This tool contains a wide range of features that can be used for bypassing sandboxes and virtual machines (VMs).

NewsPenguin performs multiple checks to detect whether it is running in a sandbox environment. That includes using GetTickCount to identify sandboxes bypassing sleep functions, checking the hard drive size, and requiring more than 10GB of RAM. Once running, NewsPenguin creates a mutex named "Windows.20H2.85685475".

When establishing the connection for the very first time, the server registers the infected system with a particular unique identifier that is 12 characters long. This unique identifier is then used for communications between the bot and the server.

NewsPenguin then connects to a hardcoded server – "updates[.]win32[.]live:443/search:<unique_identifier>" – where it then gets the IP address of the command-and-control server (C2) to begin receiving malicious commands from its operator.

It is noteworthy that NewsPenguin waits for 300000ms (five minutes) between each command. Furthermore, each command the bot receives from the server is base64 encoded. When security researchers run malware or potentially interesting samples in sandboxes, those usually have a time limit of fewer than five minutes per sample. This means that if such a sample is run in a sandbox, it won't reproduce the whole thing because of the idle time. Instead, it will terminate its execution upon timeout without producing any malicious artifacts. This is a technique to bypass automated malware analysis by sandboxing.

It is important to note that during the base64 decoding of all strings, we identified more paths to the files we did not see during NewsPenguin’s execution:

• c:\programdata\63921eef-8415-4368-9201-f0df4af5778f.devm
• c:\programdata\vpskg.exe

Network Infrastructure

The “windowsupdates[.]shop” domain has been registered since 2022-06-30 and had its DNS records updated to 51.222.103[.]8 by at least 2022-07-03.

The “updates.win32[.]live” domain has been registered since 2022-10-14 and had its DNS records updated to 185.198.59[.]109 by at least 2022-10-18.

Giving the domain/IP time as a registered and associated group drops NewsPenguin off many newly registered and newly updated IP blocklists, and gives the threat actor higher quality results. This shows that NewsPenguin has done some advance planning and has likely been conducting activity for a while. Short-sighted attackers usually don’t plan operations so far in advance and don’t execute domain and IP reservations months before their utilization.

Targets

Based on the lure theme and the nature of the event, Pakistani companies manufacturing military technologies, nation-states, and military forces are highly likely to be the primary target. That includes the organizers and those attending the Pakistan International Maritime Expo & Conference, especially the exhibitors.

Attribution

The BlackBerry Research and Intelligence Team have not been able to attribute this malware and associated indicators of compromise to any currently-known threat actor or group. Given the highly focused nature of the targets (the Pakistan maritime industry), previously unseen tooling, and new network infrastructure, it is unlikely that the threat actor behind it is connected to casual cybercrime. Instead, we consider it highly likely that the attacker is a nation-state or an outsourced team working for a nation-state threat actor.

Mitigation

For concerned parties, a practical exercise would be to threat-hunt the potentially affected systems. If an infection is confirmed, then based on incident response (IR) exercises, the goal would be to determine when the systems were infected and then, based on the timeline and data on the system, identify what confidential information may have been compromised. Finally, a full remediation should take place to mitigate any potential impacts.

Conclusions

NewsPenguin is a previously unknown threat actor relying on unseen tooling to target Pakistani users and potential visitors of the Pakistani International Maritime Expo & Conference.

The threat actor's timeline and preparation for this campaign show the attacker is continuously improving their tools to infiltrate victim systems. Advanced planning to build network infrastructure months out from an event is rare within criminal enterprises.

As the target is an event run by the Pakistan Navy, it implies that the threat actor is actively targeting government organizations, rather than this being a financially motivated attack.

For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry blog.

Indicators of Compromise (IoCs)

MITRE ATT&CK Flow