Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Sophisticated Cyberattack Targets Pakistani Military

A previously undisclosed threat actor is targeting nuclear-armed government and military in Pakistan as part of a new, unusually complex espionage campaign, Cylance security researchers warn. 

A previously undisclosed threat actor is targeting nuclear-armed government and military in Pakistan as part of a new, unusually complex espionage campaign, Cylance security researchers warn. 

Dubbed “The White Company” by Cylance, the hackers are believed to be a state-sponsored group that has access to zero-day exploits and exploit developers, as well as the resources necessary to evolve, modify, and refine tools and malware.

As part of a year-long, ongoing campaign called Operation Shaheen, The White Company went to unusual lengths to ensure stealth, Cylance says. The actor was able to evade detection from Sophos, ESET, Kasperksy, BitDefender, Avira, Avast!, AVG, and Quick Heal tools. 

“In this campaign, we watched them turn eight different antivirus products against their owners. Then, oddly, the White Company instructed their code to voluntarily surrender to detection,” the researchers said

Not only are checks used to determine whether the malware runs on the proper system, but decoy documents are also used to reduce suspicion, and the malware can also delete itself. The actor used five different obfuscation (packing) techniques, additional system fingerprinting, and compromised or un-attributable infrastructure for command and control (C&C).

The first phase of the campaign employed a relatively dated exploit (for the CVE-2012-0158 vulnerability), publicly available remote access tools (RATs) – either be purchased or freely available -, and external infrastructure for delivery, namely compromised Pakistani websites, including that of Frontier Works Organization (FWO). 

Starting in December 2017, the lure documents arrived with the malware embedded and attempted to exploit CVE-2015-1641. Highly obfuscated, the payload in this phase also allowed the threat actor to spy on and steal data from its targets and consisted of two separate stages. 

The stage 1 shellcode is simply meant to prepare the system for the stage 2 shellcode, which includes mission-specific functions and which is likely authored by The White Company group themselves. 

Advertisement. Scroll to continue reading.

The exploit includes anti-analysis capabilities, checks whether any of eight specific antivirus products are present on the target machine and attempts to evade them, determines the current date, and drops the malware payload.

When the lure document is opened, the exploit launches a new session of Microsoft Word and displays a decoy document, but deletes itself from the system, so that it would not trigger a second time. The exploit uses the date check and the previously recorded list of antivirus products to stop the antivirus evasion and essentially surrender to each product, sequentially, over a period of six months.

The spying malware dropped in by stage 2 of phase 2 was found to be similar to the RATs delivered in Phase 1. They too were heavily obfuscated versions of publicly available Trojans, also modular in nature. The purpose of the malware was to record keystrokes, steal credentials, access microphone and camera, and access the desktop remotely.

“Once running, the malware in this campaign relied on a set of roughly half a dozen IP addresses that orchestrated so-called command and control. An analysis of those IPs and domains, including historical domain, DNS, and website registration research, provided no significant insight,” Cylance says. 

However, given that one of the IP addresses is still active, Operation Shaheen is likely ongoing, the security researchers say. On the other hand, the security firm has not had visibility into the campaign since February 2018.

The threat actor went to great lengths to elude attribution, using tools from different developers and attempting to cover their tracks. However, the researchers believe The White Group hasn’t been previously documented, based on the use of complex shellcode and heavily obfuscated, publicly available malware.

Related: China’s ‘Belt and Road Initiative’ Drives Cyber Spying

Related: Cyber-Espionage Campaigns Target Tibetan Community in India

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.