Researchers have observed the Confucius threat group conducting a recent spear-phishing campaign in which attackers used lures related to Pegasus spyware to target Pakistani military.
The campaign was detected during a broader investigation of the Confucius threat actor, report Trend Micro researchers who found it. In the first phase of the two-step attack, an email is sent without a malicious payload containing content copied from a legitimate Pakistani newspaper article. The spoofed sender address mimics the PR department of the Pakistani Armed Forces.
Two days later, a second email arrives disguised as a warning from the Pakistani military about the Pegasus spyware. This email contains a link to a malicious encrypted Word document; the decryption password will be sent to the victim. The sender address spoofs a service similar to the one in the first email.
If the target clicks the malicious document link or the “unsubscribe” link, the Word document is downloaded and a document containing macros displays on the screen after the password is entered. If macros are enabled, malicious code will be noted, researchers explain.
The final payload is a .NET DLL file designed to steal documents and images, and it checks the Documents, Downloads, Desktop, and Pictures folder for every user.
Read the full blog post for more information.
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
