New Malware Campaign Targets Pakistani Government Employees with Advanced Evasion Techniques
A sophisticated malware campaign has recently been identified, targeting government employees in Pakistan through meticulously crafted spear-phishing emails. This operation employs advanced obfuscation methods and a multi-stage payload delivery system to circumvent detection by security tools.
Targeted Entities and Attack Vector
The primary targets of this campaign are personnel from the Punjab Safe Cities Authority (PSCA) and the Punjab Police Integrated Command, Control & Communication (PPIC3) center. The attackers impersonate an internal consultant, referencing a legitimate government initiative known as the Safe Jail Project. This tactic leverages the credibility of established institutional names to deceive recipients.
The spear-phishing emails contain two malicious attachments:
1. Word Document: Titled CAD Reprot.doc (note the intentional misspelling), this file is designed to exploit vulnerabilities in Microsoft Word.
2. PDF File: Named ANPR Reprot.pdf, this document displays a counterfeit Adobe Reader error message, prompting users to download a harmful file.
Both attachments retrieve payloads from infrastructure hosted on BunnyCDN, a legitimate content delivery network. This strategy complicates detection efforts, as the malicious traffic blends with regular network activity.
Technical Analysis and Detection
Security analysts from JoeReverser conducted an in-depth sandbox analysis of the campaign, assigning the Word document a perfect maliciousness score of 100 out of 100. Their findings indicate that the campaign is engineered to establish persistent remote access on compromised systems. Detection tools such as Suricata, Sigma, YARA, ReversingLabs, and VirusTotal corroborated these results, with detection rates ranging from 52% to 56%.
A notable aspect of this campaign is its utilization of Microsoft’s legitimate Visual Studio Code (VS Code) tunnel service as a covert command-and-control (C2) channel. Upon execution, the payload (code.exe) is placed in the victim’s temporary folder and communicates through Microsoft’s infrastructure, making the traffic appear as routine developer activity. Additionally, the attackers employ Discord webhooks to receive real-time notifications of successful compromises, effectively bypassing most network-level monitoring tools.
Multi-Stage Delivery and VBA Stomping
The campaign’s delivery mechanism is particularly sophisticated, designed to evade security defenses at each stage:
1. VBA Stomping: The Word document employs a technique known as VBA stomping, where the visible macro source code is removed, leaving only the compiled p-code. This approach deceives antivirus tools that scan for macro content, allowing the hidden logic to execute without raising alarms.
2. Execution of Malicious Macro: When the victim enables content in the blurred document, the macro’s DownloadAndExfil function activates silently. It uses a COM-based HTTP object to download code.exe from the domain adobe-pdfreader.b-cdn.net and writes it to the system’s temporary folder.
3. Establishing Persistence: The payload then establishes persistence on the infected system, ensuring continued access for the attackers.
Implications and Recommendations
This campaign underscores the evolving sophistication of cyber threats targeting government entities. The use of legitimate services for C2 communication and advanced obfuscation techniques highlights the need for enhanced vigilance and robust security measures.
Recommendations for Mitigation:
– User Education: Conduct regular training sessions to educate employees about the dangers of phishing attacks and the importance of verifying the authenticity of emails and attachments.
– Advanced Threat Detection: Implement advanced threat detection systems capable of identifying obfuscated code and unusual network traffic patterns.
– Regular Software Updates: Ensure that all software, especially Microsoft Office products, are updated to the latest versions to mitigate vulnerabilities exploited by such attacks.
– Network Monitoring: Monitor network traffic for unusual patterns, particularly communications with external servers that may indicate C2 activity.
– Incident Response Plan: Develop and regularly update an incident response plan to address potential breaches promptly and effectively.
By adopting these measures, organizations can enhance their resilience against sophisticated malware campaigns and protect sensitive information from unauthorized access.
