{"id":2122,"date":"2024-09-25T11:42:51","date_gmt":"2024-09-25T11:42:51","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2122"},"modified":"2025-07-29T03:20:55","modified_gmt":"2025-07-29T03:20:55","slug":"donot-apt-team-has-updated-their-malicious-toolset","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/donot-apt-team-has-updated-their-malicious-toolset\/","title":{"rendered":"DoNot APT team has updated their malicious toolset"},"content":{"rendered":"\n
\"DoNot<\/figure>\n\n\n\n

DoNot APT Group, also known as APT-C-35, targeting government-related organisations has emerged once again with an updated version of their malware. DoNot APT team mainly spreads malware via spear-phishing emails containing malicious documents and other attachment files. Mostly the malicious programs are developed in C++, Python, .NET, and other languages.<\/p>\n\n\n\n

APT-C-35, also known as the DoNot APT team is a group of advanced persistent threat actors that have been operational since 2016.   They are the primary creators and users of the Windows and Android spyware frameworks. Many of their attacks have been directed against South Asian people and institutions.<\/p>\n\n\n\n

Target:<\/strong> APT attacks against India, Pakistan, Argentina, and the countries in South Asia.<\/p>\n\n\n\n

Cyber security researchers from around the globe have described DoNot Team as “very persistent” – they hammer a target for years with their TTPs, until they find a way in. While the advanced persistent threat (APT) group tends to stay within a particular geographical area – such as South Asia, the DoNot Team has also been traced to attacks against embassies in the Middle East, Latin America, North America, and Europe.<\/p>\n\n\n\n

Infection Chain:<\/strong><\/h3>\n\n\n\n
\"\"<\/figure>\n\n\n\n

This Advanced Persistent Threat arrives as a spear-phishing email attachment. This kind of e-mail contains Microsoft Office files such as MS Word documents (.docx) or Powerpoint (.ppt) or MS Excel (.xls) attachments. This kind of attack requires the victim to enable macros, once the user opens the document, then it drops the payload in their target locations. Once dropped, the zip file will unzip with the help of .bat script and then it will run the .VBS script to run the another .BAT file to execute the .DLL file.<\/p>\n\n\n\n

Sample 1: Distributed via PPT<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis of PPT:<\/strong><\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once the user enables the macros, the payload files will drop in their targeted location. Here, they used to drop in the C: > User > Public > Downloads.<\/em><\/p>\n\n\n\n

Sample 2: Distributed via XLS<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Technical Analysis of XLS Document:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

In this instance also, there is not much difference, the attackers just changed the initial vector from PPT to XLS attachment document but the same payload facilitates infection.<\/strong> With respect to all of the aforementioned initial vectors, once the user enables the macro function, the following actions will be performed.<\/p>\n\n\n\n

Dropped Files:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Here, we can see the ((XXXX))((.))zip file. This file will automatically unzip contents with respect to the .BAT script. When the contents are extracted successfully, there are four different files, that will be dropped in the C: > User > Public > Downloads location.<\/p>\n\n\n\n

Process Tree:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Analysis of Dropped files:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

.BAT file:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

WRT .RunDLL32 > will run the payload file:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Code View of the dropped files:<\/strong><\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

YTY Malware Framework<\/strong><\/h3>\n\n\n\n

The yty malware framework, discovered initially by Net Scout in 2018, is a less complex and poorly built successor to an older framework known as EHDevel. The yty framework is made up of a series of downloaders that together download a backdoor with very limited capability that is used to download and install further elements from the malicious toolset.<\/p>\n\n\n\n

For persistence, the DoNot team’s malware employs scheduled tasks and switches between DLL and EXE files between campaign execution cycles. When it comes to DLLs, scheduled tasks run rundll32.exe to load them and run one of the exported functions.<\/p>\n\n\n\n

The yty framework’s developers primarily use the C++ programming language. They have possibly ported their components in to other languages such as VBScript, Python, Visual C#, and Auto It in an attempt to avoid detection. However,  at LMNTRIX CDC, we have seen them use only components written in C++ and Golang since 2019 to 2022.<\/p>\n\n\n\n

Goals of the DoNot Team (APT-C35) attacks:<\/strong><\/p>\n\n\n\n

Primarily the DoNoT team\u2019s browser stealer, shellcode loader and new DLL that spawns a reverse shell have the following objectives,         <\/p>\n\n\n\n

    \n
  • Theft of Personally Identifiable Information (PII) or other sensitive data.<\/li>\n\n\n\n
  • Theft of intellectual property.<\/li>\n\n\n\n
  • Theft of classified data.<\/li>\n\n\n\n
  • Sabotage, for example database deletion.<\/li>\n\n\n\n
  • Complete site takeover.<\/li>\n\n\n\n
  • Obtaining data on infrastructure for reconnaissance purposes.<\/li>\n\n\n\n
  • Obtaining credentials to critical systems.<\/li>\n\n\n\n
  • Access to sensitive or incriminating communications etc.<\/li>\n<\/ul>\n\n\n\n

    Conclusion<\/strong><\/h2>\n\n\n\n

    As we have mentioned earlier, DoNot APT team makes up for its low sophistication with tenacity. LMNTRIX CDC expects this group will continue to push on with more attacks regardless of its many setbacks. Imagine defending against APTs such as the DoNot team, without an in-depth strategy that uses multiple layers of security for cyber defense, the impact of a persistent attacker has been documented time and again with recent breaches including Uber. There\u2019s an old saying, Persistence is the twin sister of excellence, whether it comes to the attackers, or the cyber defenders protecting their organisation’s data.<\/p>\n\n\n\n

    IOC \u2013 Indicators of Compromise for Detecting DoNoT APT Malware<\/strong><\/h3>\n\n\n\n

    Hashes<\/strong><\/p>\n\n\n\n

    2c84b325b8dc5554f216cb6a0663c8ff5d725b2f26a5e692f7b3997754c98d4d<\/p>\n\n\n\n

    a70038cdf5aea822d3560471151ce8f8bacd259655320dea77d48ccfa5b5af4f<\/p>\n\n\n\n

    d3a05cb5b4ae4454079e1b0a8615c449b01ad65c5c3ecf56b563b10a38ecfdef<\/p>\n\n\n\n

    d71fa80d71b2c68c521ed22ffb21a2cff12839348af6b217d9d2156adb00e550<\/p>\n\n\n\n

    7fc0e9c47c02835ecbbb63e209287be215656d82b868685a61201f8212d083d9<\/p>\n\n\n\n

    6e7b6cc2dd3ae311061fefa151dbb07d8e8a305aed00fa591d5b1cce43b9b0de<\/p>\n\n\n\n

    90cb497cad8537da3c02be7e8d277d29b78b53f78d13c797a9cd1e733724cf78<\/p>\n\n\n\n

    93ca5ec47baeb7884c05956ff52d28afe6ac49e7aba2964e0e6f2514d7942ef8<\/p>\n\n\n\n

    9b2ef052657350f5c67f999947cf8cd6d06a685875c31e70d7178ffb396b5b96<\/p>\n\n\n\n

    80f2f4b6b1f06cf8de794a8d6be7b421ec1d4aeb71d03cccfc4b3dfd1b037993<\/p>\n\n\n\n

    f0c1794711f3090deb2e87d8542f7c683d45dc41e4087c99ce3dca4b28a9e6f6<\/p>\n\n\n\n

    5ebee134afe192cdc7fc5cc9f83b8273b6f282a6a382c709f2a21d26f532b2d3<\/p>\n\n\n\n

    d566680ca3724ce242d009e5a46747c4336c0d3515ad11bede5fd9c95cf6b4ce<\/p>\n\n\n\n

    28c71461ac5cf56d4dd63ed4a6bc185a54f28b2ea677eee5251a5cdad07077b8<\/p>\n\n\n\n

    9761bae130d40280a495793fd639b2cb9d8c28ad7ac3a8f10546eb3d2fc3eefc<\/p>\n\n\n\n

    41c221c4f14a5f93039de577d0a76e918c915862986a8b9870df1c679469895c<\/p>\n\n\n\n

    \u2003
    Domains \/ URLs<\/strong><\/p>\n\n\n\n

    hxxp:\/\/mak.logupdates.xyz\/DWqYVVzQLc0xrqvt\/HG5HlDPqsnr3HBwOKY0vKGRBE7V0sDPdZb09n7xhp0klyT5X.mp3<\/p>\n\n\n\n

    hxxp:\/\/mak.logupdates.xyz\/DWqYVVzQLc0xrqvt\/HG5HlDPqsnr3HBwOKY0vKGRBE7V0sDPdZb09n7xhp0klyT5X.doc<\/p>\n\n\n\n

    worldpro[.]buzz<\/p>\n\n\n\n

    ser.dermlogged[.]xyz<\/p>\n\n\n\n

    doctorstrange[.]buzz<\/p>\n\n\n\n

    clipboardgames[.]xyz<\/p>\n\n\n\n

    beetelson[.]xyz<\/p>\n\n\n\n

    tobaccosafe[.]xyz<\/p>\n\n\n\n

    kotlinn[.]xyz<\/p>\n\n\n\n

    fitnesscheck[.]xyz<\/p>\n\n\n\n

    dayspringdesk[.]xyz<\/p>\n\n\n\n

    srvrfontsdrive[.]xyz<\/p>\n\n\n\n

    globalseasurfer[.]xyz<\/p>\n\n\n\n

    esr.suppservices[.]xyz<\/p>\n\n\n\n

    <\/p>\n","protected":false},"excerpt":{"rendered":"

    DoNot APT Group, also known as APT-C-35, targeting government-related organisations has emerged once again with an updated version of their malware. DoNot APT team mainly spreads malware via spear-phishing emails containing malicious documents and other attachment files. Mostly the malicious programs are developed in C++, Python, .NET, and other languages. APT-C-35, also known as the […]<\/p>\n","protected":false},"author":1,"featured_media":2123,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2122","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2122"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2122\/revisions"}],"predecessor-version":[{"id":4207,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2122\/revisions\/4207"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2123"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}