A new malicious actor, known as NewsPenguin, has been linked to a phishing campaign targeting Pakistani entities. The attacker sent out emails with a malicious document attached that appeared to be an exhibitor manual for PIMEC-23, an event organized by the Pakistan Navy and Ministry of Maritime Affairs. The document was designed to trick recipients into opening it, which would then trigger a remote template injection to fetch a payload from an actor-controlled server. The server was found to be hosting two ZIP archives, one of which contained a Windows executable that could bypass sandboxes and virtual machines. The payload was encrypted with the XOR encryption algorithm, using the key 'Penguin'. The domain hosting the payloads had been registered since June 30, 2022, suggesting the attack was planned in advance. The target being an event run by the Pakistan Navy implies the threat actor is targeting government organizations, rather than for financial gain.
This Cyber News was published on thehackernews.com. Publication date: Thu, 09 Feb 2023 13:33:02 +0000