Recent research unveiled a new cybercriminal group called NewsPenguin that has been launching highly advanced malware against Pakistani organisations.
The threat actors have been distributing numerous phishing emails that impersonate an invitation for the upcoming Pakistani International Maritime Expo and Conference (PIMEC-2023). These phishing emails contain weaponised documents that spread high-end espionage kits.
Moreover, the new threat group released targeted phishing emails that claim to be a part of an exhibitor of PIMEC-23 with a weaponised archive inside.
The NewsPenguin threat group targets Pakistan because of military tech purposes.
According to investigations, the lure documents within the NewsPenguin phishing emails indicate that the group targets entities involved with Pakistan’s military technology manufacturing, military forces, and nation-states.
In addition, the phishing documents utilised a remote template injection with malicious VBA macro code that allows the actors to execute their next attack stage.
This step resulted in the execution of a highly advanced espionage tool that was encrypted through the XOR encryption with a ‘penguin’ key. Subsequently, the HTTP response had a content-disposition response header name parameter named ‘getlatestnews.’
Hence, the researchers named this new group ‘NewsPenguin’ due to the unique XOR encryption key and name parameter combination.
The new cybercriminal group’s primary objective is to focus on executing cyber espionage, and some researchers backed this claim as the threat actors have no financial motivation against Pakistan.
The researchers explained that the group aims to spy on the staff and organisers of PIMEC-23 since they are related to the group’s primary target.
One of the most distinctive features of NewPenguin’s campaign is its network infrastructure that only launches parts of the malware on devices with a Pakistani IP address.
NewsPenguin is the latest and highly sophisticated threat group that appeared in the threat landscape. The group has been well-prepared for their attack against Pakistan and PIMEC-23, which is evident in their attack methods.
The planning and building of network infrastructure that took months before the event is not a common trait for a usual cybercriminal organisation. Therefore, this threat group is purely focused on their goal with no financial interest in its target.
