In the ever-evolving landscape of cyber threats and espionage, the DoNot Team has emerged as a noteworthy threat actor, engaging in targeted cyber-espionage operations in South Asia, particularly in Pakistan and Afghanistan. This article sheds light on the activities and characteristics of the DoNot Team, a group known for its use of sophisticated malware and espionage tactics.
DoNot Team’s Advanced Techniques
DoNot Team, which has also operated under aliases such as APT-C-35, Origami Elephant, and SECTOR02, is suspected to have origins in India. Their attacks are characterized by their precision and ability to infiltrate high-value targets using spear-phishing emails and rogue Android applications.
One of the key revelations from cybersecurity company Kaspersky’s APT trends report for Q3 2023 is the DoNot Team’s use of a novel .NET-based backdoor known as Firebird. This backdoor, along with a downloader named CSVtyrei, forms part of the attack chain used to compromise victims’ systems. Notably, ongoing development efforts are indicated by some non-functional code within the malware.
The Journey from Vtyrei to RTY
The DoNot Team has previously employed a first-stage payload and downloader strain called Vtyrei (also known as BREEZESUGAR). This strain was used to deliver the RTY malware framework, showcasing the group’s evolving tactics and techniques. The group’s versatility in deploying different strains and malware payloads is a concerning aspect of their activities.
Transparent Tribe and ElizaRAT
In addition to the DoNot Team, the region has witnessed the activities of other threat actors. Transparent Tribe, also known as APT36, is a Pakistan-based actor that has been targeting Indian government sectors. They utilize an updated malware arsenal, including a previously undocumented Windows trojan named ElizaRAT. This .NET binary establishes a C2 communication channel via Telegram, granting complete control over the compromised endpoint.
What sets Transparent Tribe apart is its history of using credential harvesting and malware distribution attacks. They frequently employ trojanized installers of Indian government applications and exploit open-source command-and-control frameworks.
Linux as a New Target
A notable development in Transparent Tribe’s tactics is the targeting of Linux systems. This move is significant, given that Linux-based operating systems are widely used in the Indian government sector. It’s likely motivated by India’s decision to replace Microsoft Windows OS with Maya OS, a Debian Linux-based operating system, across government and defense sectors.
Mysterious Elephant: Another Player in the Arena
Adding to the complexity of the cybersecurity landscape in the region is Mysterious Elephant, also known as APT-K-47. This nation-state actor from the Asia-Pacific region is involved in spear-phishing campaigns and deploys a backdoor called ORPCBackdoor. This backdoor is capable of executing files and commands on the victim’s computer and receiving files or commands from a malicious server.
Mysterious Elephant shares tooling and targeting overlaps with other actors associated with India, including SideWinder, Patchwork, Confucius, and Bitter, further underscoring the intricate nature of nation-state cyber operations in the region.
The activities of the DoNot Team, along with other threat actors in the South Asian region, highlight the persistent and evolving nature of cyber espionage. As these groups continue to develop advanced malware and tactics, it is crucial for organizations and governments to enhance their cybersecurity measures to defend against these sophisticated threats. The collaboration of cybersecurity firms and the sharing of threat intelligence are vital components in this ongoing battle to safeguard digital assets and national security.