The Donot Team group updates its malware framework WindowsSecurity Affairs

Meta description

Threat actor Donot Team, aka APT-C-35, has added new features to its Jaca Windows malware framework.

The Donot team has been active since 2016, focusing on government and military organizations, foreign ministries and embassies in India, Pakistan, Sri Lanka, Bangladesh and other South Asian countries .

In October 2021, a report published by Amnesty International revealed that the group Donot Team used Android applications posing as a secure chat application and malicious emails in attacks targeting a prominent Togolese human rights defender. In the past, Donot Team spyware has been discovered in attacks outside of South Asia. The investigation also uncovered links between the spyware and infrastructure used in these attacks, and Innefu Labs, an India-based cybersecurity company.

Attack chain begins with spear phishing emails containing malicious attachments, next stage malware is loaded after Microsoft Office macros are enabled, opening RTF files exploiting editor vulnerability equations and via remote model injection.

“Morphisec Labs has identified a new DoNot infection chain that introduces new modules into the Windows framework. In this article, we detail the shellcode loader mechanism and its subsequent modules, identify new features in the browser thief component, and analyze a new DLL variant of reverse shell. reads the report published by Morphisec. “DoNot’s latest spear phishing email campaign used RTF documents and targeted government departments, including Pakistan’s defense sector”

Don't Team APT 2.JPG

The group has now improved its Jaca Windows malware framework, for example, it has improved the browser thief module. Unlike the previous version of the module, the new one uses four additional executables downloaded by the previous step (WavemsMp.dll) instead of implementing the flight functionality inside the DLL. Each additional executable steals information from Google Chrome and/or Mozilla Firefox.

In recent attacks, the group sent messages using RTF documents tricking users into enabling macros. After macros are enabled, a piece of shellcode is injected into memory, then it downloads and executes second-stage shellcode from the C2 server.

The second stage shellcode retrieves the main DLL file (“pgixedfxglmjirdc.dll”) from a deferred remote server, it is responsible for reporting to the C2 server that the infection was successful. It sends the system information of the infected machine to the server, then downloads the DLL of the next stage, the Module Downloader “WavemsMp.dll”.

“The main purpose of this step is to download and execute the modules used to steal user information. To understand which modules are used in the current infection, the malware communicates with another C2 server. continues the report. “The malware retrieves the new address from an embedded link that refers to a Google Drive document containing the encrypted address:”

The attackers also implemented a reverse shell module which is recompiled as a DLL. Its functionality remains the same, opening a socket to the attacker’s machine (located at 162.33.177[.]41), creating a new hidden cmd.exe process and setting STDIN, STDOUT and STDERR as the socket.

“Defending against APTs like the DoNot team requires a defense-in-depth strategy that uses multiple layers of security to provide redundancy if data layers are breached.” concluded the researchers. “The hardest attacks to defend against are those that, like the Windows framework detailed here, target applications at runtime. Indeed, popular security solutions such as NGAV, EDR, EPP, XDR, etc. focus on detecting disc or operating system anomalies. Their ability to detect or block in-memory attacks at runtime is limited. To the extent that they can, they cause major system performance issues and false alerts because they must be dialed with their most aggressive alert settings.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Donot team)

Comment here