The DoNot Team threat actor has been busy revamping their malware toolkit to do more. These improvements, according to Morphisec researchers Arnold Osipov and Hido Cohen, include a new infection chain that will be able to incorporate previous undocumented components into the modular framework.
The DoNot Team, also known as Viceroy Tiger and APT-C-35, often targets defense, government, diplomatic and military entities in India, Sri Lanka, Pakistan, and Bangladesh and has been active since 2016. The evidence of the attacks was found in October 2021 by Amnesty International, which connected the attack infrastructure to Innefu Labs, an Indian cybersecurity company.
These spear-phishing campaigns often contained malicious Microsoft Office documents used as delivery pathways for malware. They also took advantage of macros and other vulnerabilities in Microsoft Office documents to launch the backdoor.
Morphisec’s latest findings build on reports done by ESET, which explain the intrusions done by the threat actor against military organizations based in South Asia. They did so by using several versions of their yty malware framework, and one of these included Jaca.
This means that RTF documents were used to trick the users into enabling macros. As a result, there was an execution of a piece of shellcode injected into memory. This, in turn, showed a second-stage shellcode to be downloaded from its command-and-control (C2) server.
The second stage allows the retrieval of a DLL file from a remote server that starts the infection. A researcher noted that this stage enables the modules to be downloaded and executed so that they can steal information.
These modules can harvest information in various ways, including keystrokes, files, data stored in web browsers, screenshots, etc. The toolset also includes a reverse shell module that allows the actor remote access to the victim’s machine. Therefore, it shows the threat actors developing their tactics to make them more effective.
- Joker, Facestealer, and Coper Malware Rampant in New Play Store Apps
- What Is Win32 malware.gen?
- What is FileRepMalware And How To Remove it?
- The Android Banking Trojan, SOVA Returns With New Capabilities and Targets
- Active Exploitation of UnRAR Software – CISA Issues Warning for Linux Systems
- Cyber Espionage Operations in South Asia face a crackdown by Meta