An Indian threat actor has been nothing but persistent since September 2020 in attacks on military organisations based in South Asia (including Sri Lanka and Nepal) by using different versions of its malware framework.
The highly targeted attack on ESET, a Slovakian cybersecurity company, was attributed to a hacking team called Donot Team .. “Donot Team has been consistently targeting the same entities with waves of spear-phishing emails with malicious attachments every two to four months,” researchers Facundo Munoz and Matias Porolli said.
Operating since at least 2016, Donot Team (also known as APT-C-35 and SectorE02) has been linked to a string of intrusions primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware.
In October 2021, Amnesty International discovered evidence linking the attack infrastructure of the group to Innefu Labs in India. This raises suspicions about whether the threat actor is selling spyware to the government or providing a hacker-for-hire option to the governments.
While it is not unusual for APT groups that re-attack networks they have compromised by using stealthier backdoors, Donot Team takes a more innovative approach. It deploys several variants of malware it already has.
Delivered via weaponized Microsoft Office files, the so-called “yty” malware framework is an intermediary downloading chain that ends in execution of a backdoor. This allows for additional components to be downloaded, captured keystrokes, screenshots taken, and reverse shells deployed remotely.
ESET dubbed the new variants of yty, DarkMusical and Gedit, with telemetry data pointing to attacks from a third variant called Jaca from March to July 2021. The first wave of attacks using DarkMusical is said to have occurred in June 2021, while Gedit-related campaigns were observed as early as September 2020, only to pick up the pace a year later.
A fourth attack that took place between February and March 2021 and targeted military organisations in Bangladesh and Sri Lanka, used a modified Gedit version codenamed Henos.
“Donot Team makes up for its low sophistication with tenacity,” the researchers concluded. We expect it to continue pushing on despite its setbacks. It will be interesting to see if and when the TTPs or malware are changed by this group. “