Research reveals a suspected Pakistani threat actor has been using robust surveillance malware SEEDOOR which was likely distributed via spear phishing emails about current events, defence issues and women
Sample Decoy Documents
FireEye has revealed that a cyber threat operation in which malware was used has been targeting India and Pakistan since at least 2013. The threat group behind the operation is said to have reached its targets by sending spear phishing emails with malware attachments. The lures used in the email were related to regional military and defence issues, often involving India-Pakistan relations and current events.
The press release said that based on the themes used in the emails and decoy documents, it is likely the threat actor intended to target Indian government and military personnel, as well as political dissidents in Pakistan, in order to collect intelligence. FireEye believes the group has a collaborative malware development environment and employs focused targeting.
According to FireEye, the threat actor’s malware has two primary components. SEEDOOR is often initially delivered to a target system by a downloader and it then creates a backdoor to the victim’s system. SEEDOOR’s built-in functionality includes interacting with the file system, simulating mouse clicks, starting and terminating processes, transferring files, making recordings and screenshots of the desktop, recording sound from a microphone, recording and taking snapshots from webcams, and in some cases collecting Microsoft Outlook emails and attachments.
As per the press release, the threat actor used a variety of lures focused on defence and military topics, as well as issues pertinent to India-Pakistan relations, including regional areas of conflict such as Afghanistan conflict. In multiple instances, the threat actor named the malware attachments the title of news articles from popular Pakistan news sites. In multiple cases, the threat actor quickly used the latest news events as themes for lures. The actor also used images of women, including several associated with India or Pakistan.
“The line between real world conflict and cyber conflict continues to blur. Wherever you see geopolitical tensions you are likely to find cyber campaigns beneath the surface,” said Bryce Boland, FireEye chief technology officer for Asia Pacific.
FirEye also said that the significant use of Pakistani infrastructure for command and control, the nature of lure themes targeting Pakistani separatists and Indian military entities, and borrowed news titles from prominent Pakistan news outlets may indicate a potential Pakistani threat sponsor.