DoNot Haker’s Malware Toolkit Received an Update With Improved Capabilities

DoNot Haker’s Malware Toolkit Received an Update With Improved Capabilities

The DoNot Team threat actor has been busy revamping their malware toolkit to do more. These improvements, according to Morphisec researchers Arnold Osipov and Hido Cohen, include a new infection chain that will be able to incorporate previous undocumented components into the modular framework. 

The DoNot Team, also known as Viceroy Tiger and APT-C-35, often targets defense, government, diplomatic and military entities in India, Sri Lanka, Pakistan, and Bangladesh and has been active since 2016. The evidence of the attacks was found in October 2021 by Amnesty International, which connected the attack infrastructure to Innefu Labs, an Indian cybersecurity company. 

These spear-phishing campaigns often contained malicious Microsoft Office documents used as delivery pathways for malware. They also took advantage of macros and other vulnerabilities in Microsoft Office documents to launch the backdoor. 

Morphisec’s latest findings build on reports done by ESET, which explain the intrusions done by the threat actor against military organizations based in South Asia. They did so by using several versions of their yty malware framework, and one of these included Jaca.

This means that RTF documents were used to trick the users into enabling macros. As a result, there was an execution of a piece of shellcode injected into memory. This, in turn, showed a second-stage shellcode to be downloaded from its command-and-control (C2) server. 

The second stage allows the retrieval of a DLL file from a remote server that starts the infection. A researcher noted that this stage enables the modules to be downloaded and executed so that they can steal information. 

These modules can harvest information in various ways, including keystrokes, files, data stored in web browsers, screenshots, etc. The toolset also includes a reverse shell module that allows the actor remote access to the victim’s machine. Therefore, it shows the threat actors developing their tactics to make them more effective. 

Read also:

Abdul Wahab is a Software Engineer by profession and a Tech geek by nature. Having been associated with the tech industry for the last five years, he has covered a wide range of Tech topics and produced well-researched and engaging content. You will mostly find him reviewing tech products and writing blog posts. Binge-watching tech reviews and endlessly reading tech blogs are his favorite hobbies.