Connect with us

Hi, what are you looking for?



ESET Uncovers Cyber Espionage Campaign Targeting Government Agencies in Pakistan

Researchers at ESET have discovered a targeted cyber espionage campaign in Pakistan, which is attempting to compromise sensitive information from various organizations. While limited, traces of the same attack have also been discovered in other parts of the globe.

Researchers at ESET have discovered a targeted cyber espionage campaign in Pakistan, which is attempting to compromise sensitive information from various organizations. While limited, traces of the same attack have also been discovered in other parts of the globe.

The attack targets a vulnerability in Microsoft Office, CVE-2012-0158, which if exploited, allows the attacker to install malicious software up to and including backdoors.

Last year, when criminals focused on this vulnerability at its peak, the Web was flooded with malicious documents. Other attack vectors include the use of malicious PDF files that first send system information to a remote site, before downloading additional malware onto the system.

There’s also evidence that the attackers are signing their code with an old certificate that was issued in 2011 to Technical and Commercial Consulting Pvt. Ltd., a firm based in New Delhi, India.

According to ESET, 80% of the attack has focused on Pakistan, though traces of it have also been noted in the U.S., the Ukraine, China, Russia, Spain, and India.

According to Symantec, the attack appears to be no more than four years old and very broad in scope, but appears to be focused on government agencies located in Pakistan. 

Telemetry data focused on South Asia (Symantec)

Advertisement. Scroll to continue reading.

Telemetry Data of Attacks focused on South Asia

“We have identified several different documents that followed different themes likely to be enticing to the recipients. One of these is the Indian armed forces. We do not have precise information as to which individuals or organizations were really specifically targeted by these files, but based on our investigations, it is our assumption that people and institutions in Pakistan were targeted,” said Jean-Ian Boutin, a malware researcher at ESET.

The payloads dropped by the malware offer a range from access. ESET discovered downloaders, document uploaders, keyloggers, reverse shells, and payloads with the ability to self-replicate within a network. Further, they also found two public tools (WebPassView and Mail PassView from NirSoft) signed by the malicious certificate.

Once compromised, the malware starts harvesting data immediately, but sends it to the attacker’s systems unencrypted.

“The decision not to use encryption is puzzling considering that adding basic encryption would be easy and provide additional stealth to the operation,” said Boutin.

While unrelated, researchers from Trustwave found the same vulnerability being exploited by Cutwail botnet over the past week, which has been sending out spam containing malicious documents that target CVE-2012-0158. “The use of a loaded RTF attachment is a departure from normal for Cutwail, usually it distributes executable attachments or links to exploit kits,” Trustwave’s Rodel Mendrez noted in a blog post. Mendrez also pointed out that the same vulnerability had been used in targeted attacks against NGOs and human rights activists in 2012.

Additional technical details from ESET on the attacks targeting Pakistan are online

Additional reporting by Mike Lennon

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...