Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign

    Monday, November 25, 2024 In: Threat Research Print

    Date: 11/25/2024

    Severity: Medium

    Summary

    In early September, the BlackBerry Threat Research and Intelligence team uncovered a cyber espionage campaign targeting the Pakistan Navy. The attack, disguised as an internal IT communication, was found to involve a range of artifacts aimed at delivering a stealthy infostealer. The campaign’s tactics, techniques, and procedures (TTPs) showed similarities to those used by other known threat groups, but there was insufficient evidence for direct attribution. The blog outlines the full attack chain and provides actionable recommendations for remediation to counter such threats.

    Indicators of Compromise (IOC) List

    URL/Domain

    paknavy.rf.gd

    updateschedulers.com

    packageupdates.net

    https://paknavy.rf.gd/Axigen_Thunderbird.zip

    https://updateschedulers.com/receive_credentials.php

    https://updateschedulers.com/file_download.php?lf=ms

    https://finance-gov-pk.rf.gd/BenevolentFundAndGroupInsurance

    https://updateschedulers.com/image.jpg

    http://packageupdates.net/r3diRecT/redirector/proxy.php

    https://updateschedulers.com/BenevolentFund.pdf

    https://extension.webmailmigration.com/ajaxtension.php

    mxmediasolutions.com

    IP Address

    185.27.134.139

    185.227.82.38

    146.70.149.223

    146.70.149.216

    185.227.82.65

    146.70.80.58

    Hash

    da9e4327bba989fc73280f3eee21cec9d13c1dc57a0df369ee95238c20846558

9b318a99a95ae21a846d2997ac103ff9de07bcd60b3e7c2d391b4a227642f8fb

b8405d8d3447ea30ae49d147926faf3709d604b2ea25e92b63b3dc42eb724214

3291fa800968f2becf4aedd2ca683b83274d4b863112dab406b1465faf904a3b

43979c3e6ff055d7743c3bd53529b6e4359dcaa257e8b79db60bd629a4fff856

8fced2552e5b217bfc6d93a3c4d1cd7ac0c51a42180dbe0f56af2e6368637fb1

c0d62dea8d02d4fafbc298b7ed69cc93700078c3728e3a3acb88d2a2db91de40

8e54b06a4c9452c23d4c9858437ecb0e6ef0f7030b7ef70264289bd6179ad69f

df8b7f0fe52fa86997f8d4e5c772ebdd1e84a247d678512a57bb198e6dd00ce8

5f9ef1e419a66d3eb7bb9b1c71006987667121127ceb59a73d3139b0f98b7d3b

8021c3b1976805d4cec0ecc3e029cc7ba9616593b52dc3e94364645e9d99216b

f0287134946a49e7dedc1ee60faab0e4ed7244201a5b744d00781a0e59e6bb80

54d3f21009acde870817cd42597447786f7c728183fa16966bdeebb1bc3c87e5

615727e8ed031ca82ae1799893d7b42831f3ed86a1dbc5b4f654d2b5646808b5

b40f8cf3a7a79eb65ef73df4e40d95c4c77596885a3fcfc0a6979961a26c0ba2

736315462b91943de9df6210db3bb52564982dd6c758d06ea79e3a404548569b

fc39ec35d767a2c0a178ca9874be8aaf87033f8b834ee8dcb57d3904516e4335

c31bf9075492dc093d0c76bd0b961e168c1804914edfca2c75ec09b2ce78ffdb

81dffcecb3f5765b7ec19cb72b2d10fb56c68a26b82f3fe8b2f5aa715561e666

11fdfdca21c73c87191fe7b80f1dc127253b52605aee17b9f65c3dc6ade369c0

5e119ecef481dd008a24c8c389b4b63362e387d55cee1c4eb1cff48bcda3153d

3e35834b72b475952ae60ea8479ebe3638e204df414a838dfe143081f6729d8e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://updateschedulers.com/image.jpg" or url like "https://updateschedulers.com/image.jpg" or userdomainname like "mxmediasolutions.com" or url like "mxmediasolutions.com" or userdomainname like "https://updateschedulers.com/file_download.php?lf=ms" or url like "https://updateschedulers.com/file_download.php?lf=ms" or userdomainname like "https://finance-gov-pk.rf.gd/BenevolentFundAndGroupInsurance" or url like "https://finance-gov-pk.rf.gd/BenevolentFundAndGroupInsurance" or userdomainname like "https://updateschedulers.com/receive_credentials.php" or url like "https://updateschedulers.com/receive_credentials.php" or userdomainname like "https://extension.webmailmigration.com/ajaxtension.php" or url like "https://extension.webmailmigration.com/ajaxtension.php" or userdomainname like "updateschedulers.com" or url like "updateschedulers.com" or userdomainname like "https://updateschedulers.com/BenevolentFund.pdf" or url like "https://updateschedulers.com/BenevolentFund.pdf" or userdomainname like "paknavy.rf.gd" or url like "paknavy.rf.gd" or userdomainname like "packageupdates.net" or url like "packageupdates.net" or userdomainname like "https://paknavy.rf.gd/Axigen_Thunderbird.zip" or url like "https://paknavy.rf.gd/Axigen_Thunderbird.zip" or userdomainname like "http://packageupdates.net/r3diRecT/redirector/proxy.php" or url like "http://packageupdates.net/r3diRecT/redirector/proxy.php"

    Detection Query 2

    dstipaddress IN ("146.70.80.58","185.27.134.139","185.227.82.38","146.70.149.223","146.70.149.216","185.227.82.65") or ipaddress IN ("146.70.80.58","185.27.134.139","185.227.82.38","146.70.149.223","146.70.149.216","185.227.82.65") or publicipaddress IN ("146.70.80.58","185.27.134.139","185.227.82.38","146.70.149.223","146.70.149.216","185.227.82.65") or srcipaddress IN ("146.70.80.58","185.27.134.139","185.227.82.38","146.70.149.223","146.70.149.216","185.227.82.65")

    Detection Query 3

    sha256hash IN ("736315462b91943de9df6210db3bb52564982dd6c758d06ea79e3a404548569b","fc39ec35d767a2c0a178ca9874be8aaf87033f8b834ee8dcb57d3904516e4335","f0287134946a49e7dedc1ee60faab0e4ed7244201a5b744d00781a0e59e6bb80","3e35834b72b475952ae60ea8479ebe3638e204df414a838dfe143081f6729d8e","8021c3b1976805d4cec0ecc3e029cc7ba9616593b52dc3e94364645e9d99216b","5f9ef1e419a66d3eb7bb9b1c71006987667121127ceb59a73d3139b0f98b7d3b","81dffcecb3f5765b7ec19cb72b2d10fb56c68a26b82f3fe8b2f5aa715561e666","c31bf9075492dc093d0c76bd0b961e168c1804914edfca2c75ec09b2ce78ffdb","da9e4327bba989fc73280f3eee21cec9d13c1dc57a0df369ee95238c20846558","9b318a99a95ae21a846d2997ac103ff9de07bcd60b3e7c2d391b4a227642f8fb","8fced2552e5b217bfc6d93a3c4d1cd7ac0c51a42180dbe0f56af2e6368637fb1","54d3f21009acde870817cd42597447786f7c728183fa16966bdeebb1bc3c87e5","3291fa800968f2becf4aedd2ca683b83274d4b863112dab406b1465faf904a3b","43979c3e6ff055d7743c3bd53529b6e4359dcaa257e8b79db60bd629a4fff856","5e119ecef481dd008a24c8c389b4b63362e387d55cee1c4eb1cff48bcda3153d","8e54b06a4c9452c23d4c9858437ecb0e6ef0f7030b7ef70264289bd6179ad69f","b8405d8d3447ea30ae49d147926faf3709d604b2ea25e92b63b3dc42eb724214","c0d62dea8d02d4fafbc298b7ed69cc93700078c3728e3a3acb88d2a2db91de40","df8b7f0fe52fa86997f8d4e5c772ebdd1e84a247d678512a57bb198e6dd00ce8","615727e8ed031ca82ae1799893d7b42831f3ed86a1dbc5b4f654d2b5646808b5","b40f8cf3a7a79eb65ef73df4e40d95c4c77596885a3fcfc0a6979961a26c0ba2","11fdfdca21c73c87191fe7b80f1dc127253b52605aee17b9f65c3dc6ade369c0")

    Reference: 

    https://blogs.blackberry.com/en/2024/11/suspected-nation-state-adversary-targets-pakistan-navy-in-cyber-espionage-campaign 


    Tags

    CyberEspionageAPTPakistan

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.