EXECUTIVE SUMMARY
A highly targeted malware campaign is targeting government employees in Pakistan, specifically those working for the Punjab Safe Cities Authority (PSCA) and PPIC3, with the goal of establishing persistent remote access on compromised machines. The attack begins with a carefully crafted spear-phishing email that impersonates an internal consultant and references a legitimate-sounding government infrastructure project, leveraging credibility to gain trust. The email carries two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure. Both attachments use a legitimate content delivery network (BunnyCDN) to host malicious payloads, making it harder for security tools to flag them.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly targeted malware campaign is targeting government employees in Pakistan, specifically those working for the Punjab Safe Cities Authority (PSCA) and PPIC3, with the goal of establishing persistent remote access on compromised machines. The attack begins with a carefully crafted spear-phishing email that impersonates an internal consultant and references a legitimate-sounding government infrastructure project, leveraging credibility to gain trust. The email carries two malicious attachments: a Word document with a VBA macro dropper and a PDF with a fake Adobe Reader lure. Both attachments use a legitimate content delivery network (BunnyCDN) to host malicious payloads, making it harder for security tools to flag them.[emaillocker id="1283"]
The malware infects systems by using a VBA macro lure, which tricks the user into enabling macros, triggering the DownloadAndExfil function. This function downloads a payload from a malicious CDN domain and writes it to the system's temporary folder. The payload is then executed via a legitimate Microsoft service, VS Code tunnel, which is abused as a covert C2 channel. The attacker maintains control by using Discord webhooks to receive instant notifications of successful compromises. The attack chain is designed to evade network-level detection, making it challenging for organisations to detect and respond to the threat.
The significance of this threat lies in its sophistication and ability to evade detection. The use of legitimate services like BunnyCDN and VS Code tunnel makes it difficult for security tools to identify the attack. The attack also uses a custom-built toolset, which is not associated with any known malware family. Organisations should take defensive actions to prevent similar attacks, including blocking CDN domains not linked to approved services, monitoring unusual VS Code tunnel activity, and flagging Discord webhook connections from non-browser applications.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Reconnaissance | T1592 | Spearphishing via Service | — |
| Execution | T1204 | User Execution | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1564 | Hide Artifacts | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1573 | Encrypted Channel | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/new-malware-uses-obfuscation-and-staged-payload/
https://www.joesandbox.com/joereverser/analysis/download/ff6db592-b57e-4d21-9d46-e69c2719d8a5?type=html