The NewsPenguin Threat Actor: An Analysis of its Tactics, Techniques, and Procedures

The cybersecurity community has recently been alerted to the emergence of a new threat actor known as NewsPenguin. According to a report from BlackBerry Research and Intelligence Team, this previously unknown actor has been linked to a malicious phishing campaign targeting Pakistani entities using the upcoming Pakistan International Maritime Expo and Conference (PIMEC) as a lure. The event is scheduled to be held from February 10-12, 2023, and is being organized by the Ministry of Maritime Affairs with the aim of "jump starting development in the maritime sector."

The attacker is using targeted phishing emails that purport to be an exhibitor manual for the event. Once the recipient opens the seemingly harmless Microsoft Word document attached to the email, a technique called remote template injection is employed to fetch the next-stage payload from an actor-controlled server that is configured to return the artifact only if the request is sent from an IP address located in Pakistan. This indicates that the attacker is highly focused and only targeting individuals and organizations in Pakistan.

Analysis of the server hosting the payloads shows that it has been registered since June 30, 2022, demonstrating a high level of advance planning for the campaign and a commitment to iterating the toolset used by the actor. The server was found to host two ZIP archive files without any password protection, one of which includes a Windows executable (updates.exe) that functions as a covert spying tool. This tool is capable of bypassing sandboxes and virtual machines, making it a highly dangerous threat.

The contents of the binary are encrypted with the XOR encryption algorithm, where the XOR key is "penguin." The HTTP response containing the backdoor also comes with the name parameter in the Content-Disposition response header set to "getlatestnews." This is what led to the actor being named NewsPenguin, as a reference to the uncommon XOR key and the name parameter. BlackBerry found no tactical overlaps that connect the malware to any currently-known threat actor or group.

The target of this attack, being an event run by the Pakistan Navy, implies that the threat actor is actively targeting government organizations, rather than this being a financially motivated attack. The use of phishing emails and remote template injection, as well as the ability to bypass sandboxes and virtual machines, demonstrate a high level of technical sophistication on the part of the attacker.

In conclusion, the NewsPenguin threat actor represents a new and evolving threat to the cybersecurity landscape. It is highly focused, technically sophisticated, and is demonstrating a commitment to advance planning and iterating its toolset. Organizations and individuals in Pakistan, especially those involved in the maritime sector, should be particularly vigilant in their security measures and be cautious of any unsolicited emails or attachments.