DoNot Go! Do not respawn!

ESET researchers take a deep look into latest assaults carried out by Donot Team all through 2020 and 2021, concentrating on authorities and army entities in a number of South Asian nations

Donot Team (also called APT-C-35 and SectorE02) is a menace actor working since at the least 2016 and identified for concentrating on organizations and people in South Asia with Windows and Android malware. A latest report by Amnesty International hyperlinks the group’s malware to an Indian cybersecurity firm that could be promoting the spyware and adware or providing a hackers-for-hire service to governments of the area.

We have been intently following the actions of Donot Team, and have traced a number of campaigns that leverage Windows malware derived from the group’s signature yty malware framework. According to our findings, the group may be very persistent and has constantly focused the identical organizations for at the least the final two years.

In this blogpost, we doc two variants of the malware utilized in latest campaigns – DarkishMusical and Gedit. For every of the variants, we analyze the entire assault chain and supply perception into how the group updates its instruments, techniques, and strategies.

Targets

The campaigns of Donot Team are motivated by espionage, utilizing their signature malware: the “yty” malware framework, whose important function is to gather and exfiltrate knowledge. According to our telemetry, Donot Team focuses on a small variety of targets in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal – as seen in Figure 1.

Figure 1. Countries focused in latest Donot Team campaigns

These assaults are centered on:

  • Government and army organizations
  • Ministries of Foreign Affairs
  • Embassies

Going so far as concentrating on embassies of those nations in different areas, such because the Middle East, Europe, North America, and Latin America, can also be not exterior Donot Team’s realm.

Try, strive, strive once more

It’s not a rarity for APT operators to aim to regain entry to a compromised community after they’ve been ejected from it. In some instances that is achieved by the deployment of a stealthier backdoor that continues to be quiet till the attackers want it; in different instances they merely restart their operation with new malware or a variant of the malware they used beforehand. The latter is the case with Donot Team operators, solely that they’re remarkably persistent of their makes an attempt.

According to ESET telemetry, Donot Team has been constantly concentrating on the identical entities with waves of spearphishing emails with malicious attachments each two to 4 months. Interestingly, emails we have been in a position to retrieve and analyze did not present indicators of spoofing. Some emails have been despatched from the identical organizations that have been being attacked. It’s attainable that the attackers could have compromised the e-mail accounts of a few of their victims in earlier campaigns, or the e-mail server utilized by these organizations.

With spearphishing emails, the attackers use malicious Microsoft Office paperwork to deploy their malware. We have seen Donot Team utilizing at the least three strategies. One is macros in Word, Excel and PowerPoint paperwork, akin to the instance seen in Figure 2.

Figure 2. Malicious macro in a PowerPoint doc that drops a downloader executable and creates a scheduled job to run it

The second method is RTF information with .doc extensions that exploit reminiscence corruption vulnerability CVE‑2017‑11882 in Equation Editor, proven in Figure 3. These RTF paperwork additionally comprise two embedded DLLs as OLE objects (see Figure 4) which might be used to put in and obtain additional parts (each DLLs are described within the Gedit part). This permits the attackers to execute shellcode and requires no consumer interplay. The shellcode deploys the principle parts of the malware.

Figure 3. CLSID of the COM object utilized by the RTF doc to load the Equation Editor; the following OLE object comprises the CVE‑2017‑1182 exploit

Figure 4. The OLE object headers of the DLLs additionally embedded within the RTF doc

The third method is distant RTF template injection, which permits the attackers to have a payload downloaded from a distant server when the RTF doc is opened. This is achieved by inserting a URL within the optionally available *template management phrase of the RTF file format, as a substitute of the placement of a neighborhood file useful resource. The payload that Donot Team makes use of is one other doc that exploits CVE-2017-11882 and is loaded mechanically as soon as it’s downloaded. This is proven in Figure 5.

Figure 5. When Word opens an RTF file with a distant template, it mechanically makes an attempt to obtain the useful resource

The yty malware framework

Discovered by NetScout in 2018, the yty malware framework is a much less refined and poorly developed successor to an older framework known as EHDevel. The yty framework consists of a series of downloaders that finally obtain a backdoor with minimal performance, used to obtain and execute additional parts of Donot Team’s toolset.

These embody file collectors based mostly on file extension and yr of creation, display screen capturers, keyloggers, reverse shells, and extra. As seen in Figure 6, parts for exfiltration collect the collected intelligence from staging folders and add each file to a delegated server used just for this function.

Figure 6. Component that resolves the folder identify for staging JPEG screenshots (left) and exfiltration element that finds all information within the staging folder (proper)

Staging folder names and areas are modified with nearly each new marketing campaign, in addition to a few of the parts’ filenames. However, there are instances during which the names of parts have remained unchanged, for instance: gedit.exe, wuaupdt.exe, lmpss.exe, disc.exe, amongst others. As seen in Figure 7, evidently for each new marketing campaign, to be able to set new paths and filenames, these values should be modified within the supply code after which recompiled, as none of those parts use a configuration block or file.

Figure 7. Encrypted strings containing areas and filenames which might be often modified (high) and unencrypted values utilized in setting up the C&C URL (backside)

The malware makes use of scheduled duties for persistence, and alternates between DLL and EXE information between campaigns. In the case of DLLs, scheduled duties execute rundll32.exe to load them and execute one of many exported features.

The builders of the yty framework primarily depend on the C++ programming language. Likely in an try to evade detection, they’ve additionally ported their parts to different languages akin to VBScript, Python (packaged with PyInstaller), Visual C#, and AutoIt, amongst others. However, since 2019 we’ve got solely seen them leveraging parts programmed in C++ (Figure 8) and Go (Figure 9).

Figure 8. Decompiled code of the element that captures screenshots, initially written in C++

Figure 9. Decompiled code of the element that captures screenshots, for the model written in Go

The malware typically makes use of two or three servers throughout its deployment. It may use one server throughout its chain of downloaders and a unique server that the backdoor contacts to be able to obtain its instructions and obtain additional parts, or use the identical server for each functions. A distinct server is all the time used for the add of collected info. In some assaults Donot Team has reused C&C domains from earlier assaults – each for downloads and exfiltration. As seen in Figure 10, Figure 11 and Figure 12, these parts – later described as a variant we monitor as DarkishMusical – utilized in the identical assault, employed three totally different C&C domains.

Figure 10. The first downloader decrypts the URL of the server from which it downloads the following stage of the chain

Figure 11. In later levels, the backdoor makes use of a unique server for C&C communications

Figure 12. The exfiltration parts use but a 3rd server to add the collected information

Timeline of assaults

Here we describe the malware variants utilized in latest Donot Team campaigns, with a give attention to their Windows malware, ranging from September 2020 till October 2021. For readability, we’ve got separated them into two variants of the yty malware framework: Gedit and DarkishMusical, with one particular marketing campaign utilizing Gedit that we named Henos.

In Figure 13, we current a timeline, in accordance with our telemetry, of the assaults. Also on our timeline we’ve got included assaults from one other variant, referred to as the “Jaca framework”. However, we’ll not describe it right here because it has been described extensively on this report by CN-SEC.

Figure 13. Timeline of Donot Team assaults from September 2020 to October 2021 in accordance with ESET telemetry

DarkishMusical

According to ESET telemetry, the primary wave of assaults the place this variant was used occurred in June 2021, concentrating on army organizations in Bangladesh. We have been solely in a position to get better its chain of downloaders and its important backdoor. Given the small variety of victims, we consider this might need been a extremely focused assault.

In September, a second wave of assaults that focused army organizations in Nepal used new C&C servers and file and staging folder names. We have been in a position to get better plenty of parts downloaded by the backdoor, so we’ve got determined to explain these assaults as a substitute.

Spearphishing emails have been despatched with PowerPoint paperwork containing a macro that deploys the primary element of a series of downloaders and persists utilizing a scheduled job. When potential victims open these paperwork, they are going to be introduced with a faux error message, as seen in Figure 14, and the paperwork will stay devoid of any seen content material.

Figure 14. Screenshot of a clean, malicious PowerPoint doc

As seen in Figure 15, the chain of downloaders goals to obtain a remaining element that works as a backdoor with minimal performance: it downloads standalone parts, executes them utilizing the ShellExecute Windows API, get and saves new C&C URLs.

The backdoor downloads the parts that deal with the gathering and exfiltration of data to a devoted server. These parts do not talk with the backdoor or the C&C to report on their actions – relatively, they use a delegated folder for the staging of the information, and a separate exfiltration element will acquire the whole lot and add it.

Figure 15. Observed chain of compromise for DarkishMusical

We determined to name this marketing campaign DarkishMusical due to the names the attackers selected for his or her information and folders: many are western celebrities or characters within the film High School Musical. Table 1 briefly describes the aim of every of the parts within the chain of compromise.

Table 1. Components within the DarkishMusical marketing campaign chain of compromise

Filename Description
rihana.exe This executable is dropped by the malicious doc to %public%Musicrihana.exe and persistence established by way of a scheduled job known as musudt.
 
Downloads file to %public%Musicacrobat.dll and drops a BAT file to %public%Musicsidilieicaliei.bat.
 
The BAT file calls schtasks.exe to create the hmomci scheduled job to execute rundll32.exe %public%Musicacrobat.dll, nikioioeioolla.
acrobat.dll Downloads file and saves it as %public%Musicswift
 
Additionally, can concern a systeminfo.exe command whose output is redirected to %public%Musicjustin. The contents of the file are despatched to its C&C server.
 
Drops and executes the file %public%Musicjanifer.bat that performs a number of duties:
 • Creates the folders Troy, Gabriella, and Taylor in %public%Music with archive, hidden, and system attributes.
 • Creates two scheduled duties:
  - sccmos to execute %public%MusicTroyforbidden.exe
  - msoudatee that executes %public%MusicGabriellakeep in mind.exe
 • Moves the swift file into the Gabriella folder and renames it to keep in mind.exe
 • Attempts to delete acrobat.dll and rihana.exe
 • Deletes the scheduled duties named hmomci and musudt
 • Deletes itself
keep in mind.exe Downloads file to %public%MusicTroyforbidden.exe
forbidden.exe Uses the URL saved in %public%MusicTaylorflag file; if there isn’t a URL, it makes use of its default URL.
 
Accepts three instructions:
 • Set URL within the flag file
 • Execute file with ShellExecute Windows API
 • Download file to %public%MusicTaylor

In Table 2 we describe the aim of every element of the attacker’s toolset.

Table 2. Description of parts within the attacker’s toolset for DarkishMusical

Filename Description
serviceup.exe Reverse shells
sdudate.exe
srcot.exe Takes screenshots, saves them to %public%MusicSymphony
Three variants of nDExiD.exe Collects information created in 2021 and after, and copies them to the staging folder %public%MusicSymphony

Collects information by extension: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx

Same as above, however information should have been created in 2020 or after.
File collector that screens insertion of USB drives and adjustments throughout the file system. Collects the identical paperwork by extension as above, but additionally contains information with extensions: docm, mbox, pst
upsvcsu.exe Exfiltrates collected information.

Enumerates all information in %public%MusicSymphony and uploads those who match the extensions: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx

Gedit

We detected the primary assaults of the marketing campaign utilizing Gedit in September 2020, in opposition to organizations in Pakistan that had already been focused with spearphishing and malicious RTF paperwork that put in the Jaca framework. Since then, Donot Team moved on to give attention to targets in Bangladesh, Nepal and Sri Lanka. The malware is clearly derived from the yty malware framework, however it’s distinct sufficient to be separated from DarkishMusical.

We have been in a position to retrieve a spearphishing e mail similar to a Gedit marketing campaign that occurred in February of 2021, which is proven in Figure 16. The first attachment contained a listing of personnel from a army entity in Bangladesh (and no malicious content material). The second attachment confirmed nothing however a clean web page, whereas executing malicious code.

Figure 16. Screenshot of a spearphishing e mail despatched by the attackers

We can see that the scale of the second file is larger than 2 MB. It is an RTF file that exploits CVE-2017-11882 to drop two DLL information contained within the doc and execute considered one of them. Other parts are downloaded to the compromised laptop in varied levels. An overview of this assault chain and its malware parts is proven in Figure 17.

Figure 17. Chain of compromise in Gedit campaigns

The parts have been coded in Go, and C++ (with MinGW and Visual Studio compilers). We have chosen to explain the parts utilized in that marketing campaign in February 2021, that are proven in Table 3.

Table 3. Description of parts for Gedit variant

Filename Description
vbtr.dll Moves the file %TEMPpercentbcs01276.tmp to %USERPROFILE%Documentsmsdn022.dll

Creates a scheduled job MobUpdate to execute rundll32.exe %USERPROFILE%Documentsmsdn022.dll,iorpiyhduj

msdn022.dll Downloads a file to %APPDATApercentmscx01102 (later renamed to Winhlp.exe).

Writes and executes %APPDATApercentcheck.bat, which:
 • Writes to %USERPROFILE%Policyen-usFileswizard
 • Creates the scheduled job TaskReplace to execute %USERPROFILEpercentinfboostOOOnprint.exe
 • Creates the scheduled job MachineCore to execute %USERPROFILEpercentCursorSizeDatesWinhlp.exe

Winhlp.exe Downloads a file to %USERPROFILEpercentinfboostOOOnprint.exe (if it doesn’t exist or its dimension is lower than 50 kB).
nprint.exe Sends a request to a server and relying on the reply, three actions will be carried out:
 • If qwertyuiop is within the reply headers, then a file is downloaded to %USERPROFILE%Policyen-usActive, the place can also be learn from the headers
 • If asdfghjklzx is within the reply headers, then it tries to execute %USERPROFILE%Policyen-usActivewuaupdt.exe
 • If zxcvbnmlkjhgfd is within the reply headers, then it tries to execute %USERPROFILE%Policyen-usActivetest.bat
 
If a file %USERPROFILE%Policyen-usFileswizard exists, then the URL of the server is retrieved from there and used as a substitute of the one included within the executable.
wuaupdt.exe Reverse shell.
lmpss.exe Takes screenshots and saves them, in an infinite loop, to %USERPROFILEpercentRemoteDeskApps
innod.exe File collector. Iterates recursively by drives, logging attention-grabbing information to %USERPROFILE%Policyen-usFilesnohiucf. Files are copied to %USERPROFILEpercentRemoteDeskApps

Seeks information with the extensions: doc, docx, xls, xlsx, ppt, pps, pptx, ppsx, pdf, inp, msg, jpg, jpeg, png, txt

Excludes the next information/folders: ., .., nohiucf, Windows, Recent Places, Temfile, Program Files, Program Files (x86), ProgramData, Microsoft, Package Cache

This element runs in an infinite loop, iterating drives from C: to H:

gedit.exe Sends collected information to a server. All information which might be in %USERPROFILEpercentRemoteDeskApps are despatched one after the other, unencrypted. There is not any examine for extension, aside from excluding . and ..

The sufferer identifier that was written to %USERPROFILE%Policyen-usFileswizard is appended to the URL. If the file doesn’t exist, then the default string HeloBSiamabcferss is used as a substitute. User-agent is: If persons are doubting how far you’ll be able to go, go to this point you can not hear them anymore. Michele Ruiz.

It creates a system occasion aaaaaaaaa to be sure that just one occasion of the element is working at a time.

Henos marketing campaign

Finally, it’s price mentioning a wave of assaults that occurred between February and March 2021, concentrating on army organizations in Bangladesh and Sri Lanka. These assaults used the Gedit variant of the malware, however with some minor modifications. Therefore, we determined to call this marketing campaign Henos in our timeline, after its backdoor DLL – henos.dll.

Samples belonging to parts of this wave of assaults have been additionally reported on-line in February, which most likely explains why the group didn’t use the parts once more (see this tweet by Shadow Chaser Group researchers, for instance).

Although we didn’t discover the corresponding spearphishing emails or malicious paperwork, the assault chain is presumably the identical as we described above, with some minor variations in how the parts are executed. An overview of that is proven in Figure 18.

Figure 18. Chain of compromise of the Henos marketing campaign

While a few of the parts of this marketing campaign are named javatemp.exe and pytemp.exe, these filenames have been most likely solely chosen in an try to mimic official software program akin to Java or Python. While pytemp.exe and plaapas.exe have been coded within the Go language, javatemp.exe was coded in C++ (compiled with MinGW).

One remaining observe is that the element that performs exfiltration of information, pytemp.exe, performs a examine to see if gedit.exe is working. If two or extra situations are discovered, it exits. We consider this can be a mistake by the programmers, because it ought to examine for pytemp.exe as a substitute. However, this straightforward mistake helps us tie the Henos marketing campaign to the Gedit variant of the malware (added to code similarity).

Conclusion

Donot Team makes up for its low sophistication with tenacity. We count on that it’ll proceed to push on no matter its many setbacks. Only time will inform if the group evolves its present TTPs and malware.

For any inquiries, or to make pattern submissions associated to the topic, contact us at [email protected]

Indicators of Compromise (IoCs)

A complete listing of Indicators of Compromise (IoCs) and samples will be present in our GitHub repository.

Gedit – October 2021

Samples

SHA-1 Filename ESET detection identify
78E82F632856F293BDA86D77D02DF97EDBCDE918 cdc.dll Win32/TrojanDownloader.Donot.C
D9F439E7D9EE9450CD504D5791FC73DA7C3F7E2E wbiosr.exe Win32/TrojanDownloader.Donot.D
CF7A56FD0613F63418B9DF3E2D7852FBB687BE3F vdsc.exe Win32/TrojanDownloader.Donot.E
B2263A6688E512D90629A3A621B2EE003B1B959E wuaupdt.exe Win32/ReverseShell.J
13B785493145C85B005E96D5029C20ACCFFE50F2 gedit.exe Win32/Spy.Donot.A
E2A11F28F9511753698BA5CDBAA70E8141C9DFC3 wscs.exe Win32/Spy.Donot.B
F67ABC483EE2114D96A90FA0A39496C42EF050B5 gedit.exe Win32/Spy.Donot.B

Network

Download servers

  • https://request.soundedge[.]dwell/entry/nasrzolofuju
  • https://request.soundedge[.]dwell/entry/birkalirajliruajirjiairuai
  • https://share.printerjobs[.]xyz/id45sdjscj/

Exfiltration server

  • https://submin.seasonsbackup[.]xyz/backup/

Reverse shell server

Gedit – July 2021

Samples

SHA-1 Filename ESET detection identify
A71E70BA6F3CD083D20EDBC83C72AA823F31D7BF hxedit.exe Win32/TrojanDownloader.Donot.N
E101FB116F05B7B69BD2CAAFD744149E540EC6E9 lmpss.exe Win64/HackTool.Ligolo.A
89D242E75172C79E2F6FC9B10B83377D940AE649 gedit.exe WinGo/Spy.Donot.A
B42FEFE2AB961055EA10D445D9BB0906144647CE gedit.exe WinGo/Spy.Donot.A
B0704492382186D40069264C0488B65BA8222F1E disc.exe Win32/Spy.Donot.L
1A6FBD2735D3E27ECF7B5DD5FB6A21B153FACFDB disc.exe Win32/Spy.Donot.A
CEC2A3B121A669435847ADACD214BD0BE833E3AD disc.exe Win32/Spy.Donot.M
CBC4EC0D89FA7A2AD1B1708C5A36D1E304429203 disc.exe Win32/Spy.Donot.A
9371F76527CA924163557C00329BF01F8AD9E8B7 gedit.exe Win32/Spy.Donot.J
B427744B2781BC344B96907BF7D68719E65E9DCB wuaupdt.exe Win32/TrojanDownloader.Donot.W

Network

Download server

  • request.submitonline[.]membership/orderme/

Exfiltration servers

  • oceansurvey[.]membership/add/
  • request.soundedge[.]dwell//uload

Reverse shell servers

  • 80.255.3[.]67
  • 37.48.122[.]145

Gedit – February/March 2021

Samples

SHA-1 Filename ESET detection identify
A15D011BED98BCE65DB597FFD2D5FDE49D46CFA2 BN_Webmail_List 2020.doc Win32/Exploit.Agent.UN
6AE606659F8E0E19B69F0CB61EB9A94E66693F35 vbtr.dll Win32/Spy.Donot.G
0290ABF0530A2FD2DFB0DE29248BA3CABB58D2AD bcs01276.tmp (msdn022.dll) Win32/TrojanDownloader.Donot.P
66BA21B18B127DAA47CB16AB1F2E9FB7DE3F73E0 Winhlp.exe Win32/TrojanDownloader.Donot.J
79A5B10C5214B1A3D7CA62A58574346C03D54C58 nprint.exe Win32/TrojanDownloader.Donot.Okay
B427744B2781BC344B96907BF7D68719E65E9DCB wuaupdt.exe Win32/TrojanDownloader.Donot.W
E423A87B9F2A6DB29B3BA03AE7C4C21E5489E069 lmpss.exe WinGo/Spy.Donot.B
F43845843D6E9FB4790BF70F1760843F08D43790 innod.exe Win32/Spy.Donot.G
4FA31531108CC68FF1865E2EB5654F7B3DA8D820 gedit.exe Win32/Spy.Donot.G

Network

Download servers

  • agency.tplinkupdates[.]area/8ujdfuyer8d8f7d98jreerje
  • agency.tplinkupdates[.]area/yu37hfgde64jskeruqbrgx
  • area.lovingallupdates[.]life/orderme

Exfiltration server

  • oceansurvey.membership/add/

Reverse shell server

Gedit – September 2020

Samples

SHA-1 Filename ESET detection identify
49E58C6DE5245796AEF992D16A0962541F1DAE0C lmpss.exe Win32/Spy.Donot.H
6F38532CCFB33F921A45E67D84D2796461B5A7D4 prodot.exe Win32/TrojanDownloader.Donot.Okay
FCFEE44DA272E6EB3FC2C071947DF1180F1A8AE1 prodot.exe Win32/TrojanDownloader.Donot.S
7DDF48AB1CF99990CB61EEAEB3ED06ED8E70A81B gedit.exe Win32/TrojanDownloader.Donot.AA
DBC8FA70DFED7632EA21B9AACA07CC793712BFF3 disc.exe Win32/Spy.Donot.I
CEF05A2DAB41287A495B9413D33F14D94A568C83 wuaupdt.exe Win32/Spy.Donot.A
E7375B4F37ECEA77FDA2CEA1498CFB30A76BACC7 prodot.exe Win32/TrojanDownloader.Donot.AA
771B4BEA921F509FC37016F5FA22890CA3338A65 apic.dll Win32/TrojanDownloader.Donot.A
F74E6C2C0E26997FDB4DD89AA3D8BD5B270637CC njhy65tg.dll Win32/TrojanDownloader.Donot.O

Network

Download servers

  • soundvista[.]membership/sessionrequest
  • soundvista[.]membership/orderme/
  • soundvista[.]membership/winuser

Exfiltration server

  • request.resolverequest[.]dwell/add/

Reverse shell server

DarkishMusical – September 2021

Samples

SHA-1 Filename ESET detection identify
1917316C854AF9DA9EBDBD4ED4CBADF4FDCFA4CE rihana.exe Win32/TrojanDownloader.Donot.G
6643ACD5B07444D1B2C049BDE61DD66BEB0BD247 acrobat.dll Win32/TrojanDownloader.Donot.F
9185DEFC6F024285092B563EFA69EA410BD6F85B keep in mind.exe Win32/TrojanDownloader.Donot.H
954CFEC261FEF2225ACEA6D47949D87EFF9BAB14 forbidden.exe Win32/TrojanDownloader.Donot.I
7E9A4A13A76CCDEC880618BFF80C397790F3CFF3 serviceup.exe Win32/ReverseShell.J
BF183A1EC4D88034D2AC825278FB084B4CB21EAD srcot.exe Win32/Spy.Donot.F
1FAA4A52AA84EDB6082DEA66F89C05E0F8374C4C upsvcsu.exe WinGo/Spy.Donot.A
2F2EA73B5EAF9F47DCFB7BF454A27A3FBF253A1E sdudate.exe Win32/ReverseShell.J
39F92CBEC05785BF9FF28B7F33906C702F142B90 ndexid.exe Win32/Spy.Donot.C
1352A8394CCCE7491072AAAC9D19ED584E607757 ndexid.exe Win32/Spy.Donot.E
623767BC142814AB28F8EC6590DC031E7965B9CD ndexid.exe Win32/Spy.Donot.A

Network

Download servers

  • digitalresolve[.]dwell/~~/ekcvilsrkjiasfjkikiakik
  • digitalresolve[.]dwell/~~/ziuriucjiekuiemoaeukjudjkgfkkj
  • digitalresolve[.]dwell/~~/Sqieilcioelikalik
  • printersolutions[.]dwell/~~/orderme

Exfiltration server

  • packetbite[.]dwell/~~/uload

Reverse shell servers

  • 37.120.198[.]208
  • 51.38.85[.]227

DarkishMusical – June 2021

Samples

SHA-1 Filename ESET detection identify
BB0C857908AFC878CAEEC3A0DA2CBB0A4FD4EF04

6194E0ECA5D494980DF5B9AB5CEA8379665ED46A

ertficial.dll Win32/TrojanDownloader.Donot.X
ACB4DF8708D21A6E269D5E7EE5AFB5168D7E4C70 msofficedll.dll Win32/TrojanDownloader.Donot.L
B38F3515E9B5C8F4FB78AD17C42012E379B9E99A sccmo.exe Win32/TrojanDownloader.Donot.M
60B2ADE3B339DE4ECA9EC3AC1A04BDEFC127B358 pscmo.exe Win32/TrojanDownloader.Donot.I

Network

Download servers

  • biteupdates[.]dwell/~~/orderme
  • biteupdates[.]dwell/~~/KdkdUe7KmmGFD
  • biteupdates[.]dwell/~~/acdfsgbvdghd
  • dataupdates[.]dwell/~~/DKixeXs44skdqqD
  • dataupdates[.]dwell/~~/BcX21DKixeXs44skdqqD

Henos – February/March 2021

Samples

SHA-1 Filename ESET detection identify
468A04B358B780C9CC3174E107A8D898DDE4B6DE Procurement Letter Feb 21.doc Win32/Exploit.CVE-2017-11882.CP
9DD042FC83119A02AAB881EDB62C5EA3947BE63E ctlm.dll Win32/Spy.Donot.N
25825268868366A31FA73095B0C5D0B696CD45A2 stpnaqs.pmt (jptvbh.exe) Win32/TrojanDownloader.Donot.Z
540E7338725CBAA2F33966D5C1AE2C34552D4988 henos.dll Win32/Spy.Donot.G
526E5C25140F7A70BA9F643ADA55AE24939D10AE plaapas.exe WinGo/Spy.Donot.B
89ED760D544CEFC6082A3649E8079EC87425FE66 javatemp.exe Win32/Spy.Donot.G
9CA5512906D43EB9E5D6319E3C3617182BBF5907 pytemp.exe WinGo/Spy.Donot.A

Network

Download servers

  • data.printerupdates[.]on-line//Xddv21SDsxDl
  • data.printerupdates[.]on-line/~/XddvInXdl
  • data.printerupdates[.]on-line/~/ZuDDey1eDXUl
  • data.printerupdates[.]on-line/~/Vyuib45xzlqn

Exfiltration server

  • https://handle.biteupdates[.]web site//uload

MITRE ATT&CK strategies

This desk was constructed utilizing version 10 of the ATT&CK framework.

Tactic ID Name Description
Resource Development T1588.005 Obtain Capabilities: Exploits Donot Team has used CVE‑2017-11882 exploits to run its first-stage malware.
Initial Access T1566.001 Phishing: Spearphishing Attachment Donot Team has despatched spearphishing emails to its victims with malicious Word or PowerPoint attachments.
Execution T1204.002 User Execution: Malicious File Donot Team has lured its victims into opening malicious e mail attachments.
T1059.005 Command and Scripting Interpreter: Visual Basic Donot Team has used macros contained in Power Point paperwork.
T1059.003 Command and Scripting Interpreter: Windows Command Shell Donot Team has used reverse shells on the system to execute instructions.
T1203 Exploitation for Client Execution Donot Team has used CVE-2017-11882 exploits to execute code on the sufferer’s machine.
Persistence T1053.005 Scheduled Task/Job: Scheduled Task Donot Team has created scheduled duties for persistence of its malicious parts.
Defense Evasion T1036.005 Masquerading: Match Legitimate Name or Location Donot Team has used filenames akin to pytemp or javatemp to approximate the identify of official software program.
Discovery T1057 Process Discovery Donot Team has applied checks for older variations of the malware working on the sufferer’s system.
Lateral Movement T1534 Internal Spearphishing Donot Team has despatched spearphishing emails to their victims that got here from throughout the similar focused group.
Collection T1005 Data from Local System Donot Team has used malicious modules that traverse the sufferer’s filesystem in search of information with varied extensions.
T1025 Data from Removable Media Donot Team has used a malicious module to repeat information from detachable drives.
T1074.001 Data Staged: Local Data Staging Donot Team has staged information for exfiltration in a single location, a folder within the sufferer’s laptop.
T1113 Screen Capture Donot Team has used malicious modules to take screenshots from victims.
Command and Control T1071.001 Application Layer Protocol: Web Protocols Donot Team has used HTTP/S for C&C communications and knowledge exfiltration.
Exfiltration T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/‌Obfuscated Non-C2 Protocol Donot Team has used devoted servers for exfiltration, sending the information over HTTP or HTTPS, unencrypted.



https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/

Related Posts