NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool

MITRE Techniques

• [T1566.001] Spearphishing Attachment – Targeted phishing emails with a weaponized document purporting to be an exhibitor manual for PIMEC-23. Quote: ‘The attacker sent out targeted phishing emails with a weaponized document attached that purports to be an exhibitor manual for PIMEC-23.’
• [T1221] Template Injection – Remote template injection technique used by the document to fetch the next stage. Quote: ‘The document utilizes a remote template injection technique…’
• [T1059.005] Command and Scripting Interpreter – Embedded malicious VBA macro code delivering the next stage. Quote: ’embedded malicious Visual Basic for Applications (VBA) macro code to deliver the next stage of the attack…’
• [T1059.003] Windows Command Shell – The macro/loader invokes a cmd.exe process. Quote: ‘Invokes “cmd.exe” process’
• [T1112] Modify Registry – Persistence via Run key: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun with WindowsBoost. Quote: ‘Adds HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun registry key with: value name: WindowsBoost’
• [T1027] Obfuscated/Compressed Files and Information – XOR-encrypted payload with key “penguin.” Quote: ‘encrypted with the XOR encryption algorithm, where the XOR key is “penguin”’
• [T1132.001] Data Encoding – Base64-encoded strings/commands in C2 communications. Quote: ‘base64 encoded’
• [T1071.001] Web Protocols – C2 communications over HTTP/S to hardcoded servers. Quote: ‘C2 server registers infected system… connects to a hardcoded server – “updates[.]win32[.]live:443/search:”‘
• [T1105] Ingress Tool Transfer – curl is used to download multiple files from the remote server. Quote: ‘the curl tool is used to transfer five files from the server’
• [T1083] File and Directory Discovery – Victim machine commands enumerate directories (sh dir). Quote: ‘A list of all files within the directory, including creation time, last modification time, size, name and information regarding other directories contained within. The server sends instructions to the bot on what information it is looking for, for example, the command “sh dir C:Users”’
• [T1057] Process Discovery – Listing processes (sh tasklist). Quote: ‘A list of all processes’
• [T1082] System Information Discovery – Query hostname to tailor payload. Quote: ‘To get a host name’
• [T1497.003] Virtualization/Sandbox Evasion – Sandbox checks (GetTickCount, RAM size) to avoid analysis. Quote: ‘GetTickCount to identify sandboxes bypassing sleep functions, checking the hard drive size, and requiring more than 10GB of RAM.’
• [T1036.005] Masquerading – Notepad++-signed components used as legitimate-looking updaters (gup.exe) and their signatures. Quote: ‘The “Taskhostw.exe” is the “gup.exe” – a legitimate component for Notepad++ that is digitally signed by Notepad++’
• [T1573.001] Encrypted/Compressed/Obfuscated Files or Information – Additional obfuscated payloads and XOR-encrypted modules. Quote: ‘contents of the “updates” are encrypted with the XOR encryption algorithm…’