NewsPenguin is a previously unknown threat actor relying on unseen tooling to target Pakistani users and potential visitors of the Pakistani International Maritime Expo & Conference. The threat actor's timeline and preparation for this campaign show the attacker is continuously improving their tools to infiltrate victim systems. Advanced planning to build network infrastructure months out from an event is rare within criminal enterprises.

Because of the attack's level of maturity and thoughtfulness, it is thought that the threat actor is likely well-funded, a government-backed entity, or a nation state.

NewsPenguin uses social networking services and conferences to gather victim information. The threat actor is observed actively looking for events in which Pakistani business firms will be present and actively participating. The attackers then provide fake or decoy profiles that appear to be from Pakistani employees at business firms with which they have connections.

The first stage in their campaign starts with the attacker registering a user profile on Facebook at an event site and later commenting on another user's post. The attacker can then create a NewsPenguin account to comment on other users' posts as if it is part of the event. By communicating with other users, the attacker can gather additional information about potential targets and establish trust with an individual's friends.

After establishing enough trust, the attackers will launch spear-phishing emails to target victims. The email will appear to come from a Pakistani business or official organization and make an offer for attendance at the expo.

The email will have links for content or files that appear to be related to the event and instructs users to download them in order to view more material on what they are missing out on.

‍

Source: NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool - AlienVault - Open Threat Exchange