A recent malware operation has surfaced, specifically targeting government personnel in Pakistan through sophisticated spear-phishing emails. This campaign cleverly utilizes obfuscation and staged payload delivery techniques to avoid detection by security systems.
Targeted Institutions and Attack Strategy
The attack primarily focused on employees from the Punjab Safe Cities Authority (PSCA) and PPIC3. The threat actor, masquerading as an internal consultant, referenced a government initiative known as the “Safe Jail Project.” This method of using credible institutional names highlights a growing trend in phishing tactics.
Within the same email, two harmful attachments were sent. The first, a Word document titled “CAD Reprot.doc,” contains a deliberate misspelling, a common trait in files created by threat actors. The second attachment, a PDF named “ANPR Reprot.pdf,” displays a counterfeit Adobe Reader error, prompting users to download a malicious file. Both attachments retrieve payloads from infrastructure hosted on the legitimate BunnyCDN network, complicating detection processes.
Technical Analysis and Detection Challenges
Analysts at JoeReverser conducted a comprehensive sandbox analysis, assigning the Word document a perfect malicious behavior score. The investigation confirmed, with a 95% confidence level, that the campaign aimed to secure persistent remote access on compromised devices.
Detection metrics from various tools like Suricata, Sigma, YARA, ReversingLabs, and VirusTotal corroborated the findings, indicating a high likelihood of malicious intent. Notably, the use of Microsoft’s VS Code tunnel service as a command-and-control channel obscures the attack, masking it as standard developer activity.
Additionally, Discord webhooks were employed to receive alerts upon system compromise, allowing the attacker to bypass conventional network monitoring tools.
Advanced Techniques and Preventative Measures
The malware’s complexity is evident in its multi-stage delivery and use of VBA stomping—a technique where visible macro source code is removed, leaving only compiled code. This approach often evades antivirus detection, as these tools typically scan only the readable sections of macro content.
Activation of the malicious macro occurs when a user clicks “Enable Content” on the blurred document, triggering a background function to download and execute malicious code. Simultaneously, the PDF prompts a fake update that downloads an unsigned manifest posing as Adobe software, presenting two avenues for system compromise.
Security professionals are strongly advised to handle documents requesting macro activation or software updates with caution. Measures such as blocking unapproved CDN domains, monitoring unusual VS Code tunnel activities, and flagging Discord webhook connections originating from non-browser applications can aid in early detection and prevention of similar threats.
Stay informed by following us on Google News, LinkedIn, and X. Set CSN as your preferred source on Google for more updates.
