The Donot Team has been active since 2016, it focuses on government and military organizations, ministries of foreign affairs, and embassies in India, Pakistan, Sri Lanka, Bangladesh, and other South Asian countries.
In October 2021, a report released by the Amnesty International revealed that the Donot Team group employed Android applications posing as secure chat application and malicious emails in attacks aimed at a prominent Togolese human rights defender. In the past, the Donot Team spyware was found in attacks outside of South Asia. The investigation also discovered links between the spyware and infrastructure used in these attacks, and Innefu Labs, a cybersecurity company based in India.
The attack chain starts with spear phishing emails containing malicious attachments, the next stage malware is loaded once enabled Microsoft Office macros, opening RTF files exploiting Equation Editor vulnerability, and via remote template injection.
“Morphisec Labs has identified a new DoNot infection chain that introduces new modules to the Windows framework. In this post we detail the shellcode loader mechanism and its following modules, identify new functionality in the browser stealer component, and analyze a new DLL variant of the reverse shell.” reads the report published by Morphisec. “DoNot’s latest spear phishing email campaign used RTF documents and targeted government departments, including Pakistan’s defence sector”
The group has now improved its Jaca Windows malware framework, for example, it has enhanced the browser stealer module. Unlike the previous version of the module, the new one uses four additional executables downloaded by the previous stage (WavemsMp.dll) instead of implementing the stealing functionality inside the DLL. Each additional executable allows to steal information from Google Chrome and/or Mozilla Firefox.
In the latest attacks, the group sent messages using RTF documents that trick users into enabling macros. Once enabled the macros, a piece of shellcode is injected into memory, then it downloads and executes a second-stage shellcode from the C2 server.
The second-stage shellcode fetches the main DLL file (“pgixedfxglmjirdc.dll”) from a differed remote server, its is responsible for beaconing back to the C2 server that the infection was successful. It sents to the server the system information of the infected machine, then downloads the next-stage DLL, the Module Downloader “WavemsMp.dll”.
“The main purpose of this stage is to download and execute the modules used to steal the user’s information. To understand which modules are used in the current infection, the malware communicates with another C2 server.” continues the report. “The malware fetches the new address from an embedded link that refers to a Google Drive document containing the encrypted address:”
The attackers also implemented a reverse shell module that is recompiled as a DLL. Its functionality remains the same, opening a socket to the attacker’s machine (located at 162.33.177[.]41), creating a new hidden cmd.exe process and setting the STDIN, STDOUT and STDERR as the socket.
“Defending against APTs like the DoNot team requires a Defense-in-Depth strategy that uses multiple layers of security to ensure redundancy if any given layers are breached.” the researchers concluded. “The hardest attacks to defend against are those that—like the Windows framework detailed here—target applications at runtime. This is because popular security solutions such as NGAV, EDR, EPP, XDR etc. focus on detecting anomalies on the disc or operating system. Their ability to detect or block attacks in memory at runtime are limited. To the extent they can do so, they cause major system performance issues and false alerts because they must be dialed to their most aggressive alert settings.”
(SecurityAffairs – hacking, Donot Team)