ioc[.]one - OSINT Cyber Threat Intelligence Database

Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign

Tags

cmtmf-attack-pattern:	Application Layer Protocol Command And Scripting Interpreter Develop Capabilities Masquerading Obfuscated Files Or Information Scheduled Task/Job Stage Capabilities
country:	Bangladesh China Pakistan
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Application Layer Protocol - T1437 Command And Scripting Interpreter - T1623 Component Object Model - T1559.001 Credentials - T1589.001 Develop Capabilities - T1587 Dynamic Api Resolution - T1027.007 Email Addresses - T1589.002 Encrypted/Encoded File - T1027.013 Exfiltration Over C2 Channel - T1646 File And Directory Discovery - T1420 Gather Victim Host Information - T1592 Gui Input Capture - T1056.002 Gui Input Capture - T1417.002 Impersonation - T1656 Input Capture - T1417 Inter-Process Communication - T1559 Ip Addresses - T1590.005 Javascript - T1059.007 Local Data Staging - T1074.001 Malicious File - T1204.002 Malicious Link - T1204.001 Malware - T1587.001 Malware - T1588.001 Masquerade File Type - T1036.008 Masquerade Task Or Service - T1036.004 Masquerading - T1655 Obfuscated Files Or Information - T1406 Native Api - T1575 Phishing - T1660 Phishing - T1566 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Server - T1583.004 Server - T1584.004 Software - T1592.002 Spearphishing Link - T1566.002 Spearphishing Link - T1598.003 Stage Capabilities - T1608 Windows Command Shell - T1059.003 Web Protocols - T1071.001 Web Protocols - T1437.001 Vulnerabilities - T1588.006 Upload Malware - T1608.001 Standard Application Layer Protocol - T1071 Automated Collection - T1119 Command-Line Interface - T1059 Connection Proxy - T1090 Data Staged - T1074 Deobfuscate/Decode Files Or Information - T1140 Execution Through Api - T1106 Execution Through Module Load - T1129 Exfiltration Over Command And Control Channel - T1041 File And Directory Discovery - T1083 Input Capture - T1056 Masquerading - T1036 Obfuscated Files Or Information - T1027 Scheduled Task - T1053 Spearphishing Link - T1192 Windows Management Instrumentation - T1047 User Execution - T1204 Masquerading User Execution

Show in Graph

Common Information

Type	Value
UUID	2a764b36-3f32-4bc3-b5bb-a292b9da41ff
Fingerprint	940099d926398680
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 18, 2024, midnight
Added to db	Nov. 19, 2024, 3:58 p.m.
Last updated	Nov. 20, 2024, 6:31 p.m.
Headline	Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign
Title	Suspected Nation-State Adversary Targets Pakistan Navy in Cyber Espionage Campaign
Detected Hints/Tags/Attributes	174/4/129

Source URLs

	Redirection	Url
Details	Source	https://blogs.blackberry.com/en/2024/11/suspected-nation-state-adversary-targets-pakistan-navy-in-cyber-espionage-campaign

URL Provider

Details	Provider	Source level domain
Details	blackberry.com	blogs.blackberry.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	56	✔	Latest Articles - BlackBerry Blogs	https://blogs.blackberry.com/en/feed.rss	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	3	paknavy.gov.pk
Details	Domain	1	www.naknavy.gov.pk
Details	Domain	1	www.paknavy.rf.gd
Details	Domain	1	paknavy.rf.gd
Details	Domain	1	updateschedulers.com
Details	Domain	1	packageupdates.net
Details	Domain	13	www.gov.cn
Details	Domain	1	mxmediasolutions.com
Details	Domain	1	extension.webmailmigration.com
Details	Domain	1	ilsc-313.zip
Details	Domain	1	pnlo-kamra.zip
Details	Domain	1	add-on.zip
Details	Domain	2	access2.it
Details	Domain	1	finance-gov-pk.rf.gd
Details	Domain	1	benevolentfundgroupinsurance.zip
Details	Domain	1	groupinsurance.zip
Details	Domain	1	benevolentfundandgroupinsurance.zip
Details	Domain	1	benevolentfund.zip
Details	Email	1	ilsc-313@paknavy.gov.pk
Details	Email	1	pnlo-kamra@paknavy.gov.pk
Details	Email	1	adpn37@paknavy.gov.pk
Details	Email	1	cicp_gsd@paknavy.gov.pk
Details	File	1	axigen_thunderbird.zip
Details	File	1	mail_files.zip
Details	File	2136	cmd.exe
Details	File	2	registry.log
Details	File	1	kbupdate.exe
Details	File	1	tax_list1.accde
Details	File	1	employee-information-pak-navy-2024.exe
Details	File	1	employee-information-pak-navy.exe
Details	File	1	tax_list.accde
Details	File	138	conhost.exe
Details	File	1	c:\users\public\documents\pic.jpg
Details	File	1	addc.php
Details	File	1	ilsc-313.zip
Details	File	1	pnlo-kamra.zip
Details	File	1	add-on.zip
Details	File	1	extension.webm
Details	File	1	usermanual-axigen.pdf
Details	File	6	popup.js
Details	File	1	1.accde
Details	File	2	smsse.exe
Details	File	8	a.html
Details	File	1	postaloffice.html
Details	File	1	benevolentfundgroupinsurance.zip
Details	File	1	groupinsurance.zip
Details	File	1	benevolentfundandgroupinsurance.zip
Details	File	1	benevolentfund.zip
Details	File	1	groupinsurance.txt
Details	File	1	benevolentfund.txt
Details	File	33	image.jpg
Details	File	1	receive_credentials.php
Details	File	1	employee-information-paknavy.exe
Details	File	147	wininet.dll
Details	sha256	1	9b318a99a95ae21a846d2997ac103ff9de07bcd60b3e7c2d391b4a227642f8fb
Details	sha256	1	da9e4327bba989fc73280f3eee21cec9d13c1dc57a0df369ee95238c20846558
Details	sha256	1	3291fa800968f2becf4aedd2ca683b83274d4b863112dab406b1465faf904a3b
Details	sha256	1	b8405d8d3447ea30ae49d147926faf3709d604b2ea25e92b63b3dc42eb724214
Details	sha256	1	43979c3e6ff055d7743c3bd53529b6e4359dcaa257e8b79db60bd629a4fff856
Details	sha256	1	8fced2552e5b217bfc6d93a3c4d1cd7ac0c51a42180dbe0f56af2e6368637fb1
Details	sha256	1	c0d62dea8d02d4fafbc298b7ed69cc93700078c3728e3a3acb88d2a2db91de40
Details	sha256	1	8e54b06a4c9452c23d4c9858437ecb0e6ef0f7030b7ef70264289bd6179ad69f
Details	sha256	1	df8b7f0fe52fa86997f8d4e5c772ebdd1e84a247d678512a57bb198e6dd00ce8
Details	sha256	1	5f9ef1e419a66d3eb7bb9b1c71006987667121127ceb59a73d3139b0f98b7d3b
Details	sha256	1	8021c3b1976805d4cec0ecc3e029cc7ba9616593b52dc3e94364645e9d99216b
Details	sha256	1	f0287134946a49e7dedc1ee60faab0e4ed7244201a5b744d00781a0e59e6bb80
Details	sha256	1	54d3f21009acde870817cd42597447786f7c728183fa16966bdeebb1bc3c87e5
Details	sha256	1	615727e8ed031ca82ae1799893d7b42831f3ed86a1dbc5b4f654d2b5646808b5
Details	sha256	1	b40f8cf3a7a79eb65ef73df4e40d95c4c77596885a3fcfc0a6979961a26c0ba2
Details	sha256	1	736315462b91943de9df6210db3bb52564982dd6c758d06ea79e3a404548569b
Details	sha256	1	fc39ec35d767a2c0a178ca9874be8aaf87033f8b834ee8dcb57d3904516e4335
Details	sha256	1	c31bf9075492dc093d0c76bd0b961e168c1804914edfca2c75ec09b2ce78ffdb
Details	sha256	1	81dffcecb3f5765b7ec19cb72b2d10fb56c68a26b82f3fe8b2f5aa715561e666
Details	sha256	1	11fdfdca21c73c87191fe7b80f1dc127253b52605aee17b9f65c3dc6ade369c0
Details	sha256	1	5e119ecef481dd008a24c8c389b4b63362e387d55cee1c4eb1cff48bcda3153d
Details	sha256	1	3e35834b72b475952ae60ea8479ebe3638e204df414a838dfe143081f6729d8e
Details	IPv4	2	185.27.134.139
Details	IPv4	1	185.227.82.38
Details	IPv4	1	146.70.149.223
Details	IPv4	1	146.70.149.216
Details	IPv4	1	185.227.82.65
Details	IPv4	1	146.70.80.58
Details	IPv4	1	31.22.4.234
Details	IPv4	1	185.227.82.37
Details	IPv4	1	199.59.243.227
Details	IPv4	2	84.234.96.91
Details	MITRE ATT&CK Techniques	17	T1592.002
Details	MITRE ATT&CK Techniques	97	T1587.001
Details	MITRE ATT&CK Techniques	50	T1608.001
Details	MITRE ATT&CK Techniques	185	T1566.002
Details	MITRE ATT&CK Techniques	95	T1059.007
Details	MITRE ATT&CK Techniques	336	T1059.003
Details	MITRE ATT&CK Techniques	32	T1559.001
Details	MITRE ATT&CK Techniques	240	T1106
Details	MITRE ATT&CK Techniques	277	T1053.005
Details	MITRE ATT&CK Techniques	107	T1204.001
Details	MITRE ATT&CK Techniques	367	T1204.002
Details	MITRE ATT&CK Techniques	312	T1047
Details	MITRE ATT&CK Techniques	121	T1129
Details	MITRE ATT&CK Techniques	506	T1140
Details	MITRE ATT&CK Techniques	10	T1656
Details	MITRE ATT&CK Techniques	58	T1036.004
Details	MITRE ATT&CK Techniques	22	T1036.008
Details	MITRE ATT&CK Techniques	29	T1027.007
Details	MITRE ATT&CK Techniques	14	T1027.013
Details	MITRE ATT&CK Techniques	12	T1056.002
Details	MITRE ATT&CK Techniques	588	T1083
Details	MITRE ATT&CK Techniques	112	T1119
Details	MITRE ATT&CK Techniques	50	T1074.001
Details	MITRE ATT&CK Techniques	445	T1071.001
Details	MITRE ATT&CK Techniques	425	T1041
Details	Pdb	1	c:\users\user\source\repos\mw-pak-dataext-win\x64\release\mw-pak-dataext-win.pdb
Details	Pdb	1	c:\users\user\documents\project-m\visual studio\mw-new_telemetry-exe\x64\release\mw-new_telemetry-exe.pdb
Details	Pdb	1	c:\users\user\source\repos\mw-black-shell\x64\release\mw-black-shell.pdb
Details	Url	1	https://www.naknavy.gov.pk
Details	Url	1	https://www.paknavy.rf.gd
Details	Url	1	https://paknavy.rf.gd
Details	Url	1	https://updateschedulers.com/receive_credentials.php
Details	Url	1	https://updateschedulers.com/file_download.php?lf
Details	Url	1	https://extension.webmailmigration.com/ajaxtension.php
Details	Url	1	https://paknavy.rf.gd/axigen_thunderbird.zip
Details	Url	1	https://updateschedulers.com/file_download.php?lf=ms
Details	Url	1	https://finance-gov-pk.rf.gd/benevolentfundandgroupinsurance
Details	Url	1	https://updateschedulers.com/image.jpg
Details	Url	1	http://packageupdates.net/r3direct/redirector/proxy.php
Details	Url	1	https://updateschedulers.com/benevolentfund.pdf
Details	Url	1	https://finance-gov-pk.rf.gd/benevolentfundandgroupinsurance.
Details	Windows Registry Key	1	HKLM\SYSTEM\HardwareConfig
Details	Yara rule	1	rule targeted_SyncScheduler_Malware { meta: description = "Rule detecting Sync-Scheduler malware used for extracting documents" author = " The BlackBerry Threat Research and Intelligence Team" distribution = "TLP:AMBER+STRICT" date = "2024-10-21" version = "1.0" strings: $a1 = "docx" ascii wide $a2 = "xlsx" ascii wide $a3 = "pptx" ascii wide $a4 = "POST" $a5 = "C:/Users/All Users" ascii wide $a6 = "C:/Users/Default" ascii wide $a7 = "C:/Users/Public" ascii wide $a8 = "ReadFile" $a9 = "CreateMutexA" $a10 = "GetConsoleWindow" $b1 = "Content-Type: application/x-www-form-urlencoded" $b2 = "SELECT * FROM Win32_ComputerSystemProduct" condition: uint16(0) == 0x5a4d and all of ($a) and 1 of ($b) }