According to the Slovak cybersecurity firm ESET researchers Facundo Muoz and Matas Porolli reported that,” The highly targeted attack was blamed on a hacking group known as Donot Team. Every two to four months, the Donot Team has been consistently targeting the same entities with waves of spear-phishing emails with malicious attachments.
Donot Team (also known as APT-C-35 and SectorE02) has been linked to a series of intrusions primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware since at least 2016.
Amnesty International discovered evidence linking the threat actor’s attack infrastructure to an Indian cybersecurity firm called Innefu Labs in October 2021, raising concerns that the threat actor may be selling the spyware or offering a hackers-for-hire service to governments in the region.
While it is common for APT groups to re-attack a previously compromised network by deploying stealthier backdoors to hide their tracks, Donot Team takes a different approach by deploying multiple variants of the malware already in its arsenal.
The yty malware framework, which is delivered through weaponized Microsoft Office documents, is a chain of intermediary downloaders that culminates in the execution of a backdoor, which takes care of retrieving additional components capable of harvesting files, recording keystrokes and screenshots, and deploying reverse shells for remote access.
ESET named the new yty variants DarkMusical and Gedit, with telemetry data indicating attacks from a third variant called Jaca from March to July 2021. The first wave of DarkMusical-related attacks is said to have occurred in June 2021, while Gedit-related campaigns were observed as early as September 2020, only to pick up speed a year later.
Furthermore, a fourth set of attacks targeting military organisations in Bangladesh and Sri Lanka between February and March 2021 used a modified version of Gedit codenamed Henos.
Finally the researchers concluded that,” With tenacity, the Donot Team compensates for its lack of sophistication. Despite its numerous setbacks and that it will press on. Only time will tell if the group’s current TTPs and malware evolve.”
Indicator Of Compromise
Gedit – July 2021
Samples
| SHA-1 | Filename | ESET Detection Name |
|---|---|---|
A71E70BA6F3CD083D20EDBC83C72AA823F31D7BF | hxedit.exe | Win32/TrojanDownloader.Donot.N |
E101FB116F05B7B69BD2CAAFD744149E540EC6E9 | lmpss.exe | Win64/HackTool.Ligolo.A |
89D242E75172C79E2F6FC9B10B83377D940AE649 | gedit.exe | WinGo/Spy.Donot.A |
B42FEFE2AB961055EA10D445D9BB0906144647CE | gedit.exe | WinGo/Spy.Donot.A |
B0704492382186D40069264C0488B65BA8222F1E | disc.exe | Win32/Spy.Donot.L |
1A6FBD2735D3E27ECF7B5DD5FB6A21B153FACFDB | disc.exe | Win32/Spy.Donot.A |
CEC2A3B121A669435847ADACD214BD0BE833E3AD | disc.exe | Win32/Spy.Donot.M |
CBC4EC0D89FA7A2AD1B1708C5A36D1E304429203 | disc.exe | Win32/Spy.Donot.A |
9371F76527CA924163557C00329BF01F8AD9E8B7 | gedit.exe | Win32/Spy.Donot.J |
B427744B2781BC344B96907BF7D68719E65E9DCB | wuaupdt.exe | Win32/TrojanDownloader.Donot.W |
Gedit – February/March 2021
Samples
| SHA-1 | Filename | ESET Detection Name |
|---|---|---|
A15D011BED98BCE65DB597FFD2D5FDE49D46CFA2 | BN_Webmail_List 2020.doc | Win32/Exploit.Agent.UN |
6AE606659F8E0E19B69F0CB61EB9A94E66693F35 | vbtr.dll | Win32/Spy.Donot.G |
0290ABF0530A2FD2DFB0DE29248BA3CABB58D2AD | bcs01276.tmp (msdn022.dll) | Win32/TrojanDownloader.Donot.P |
66BA21B18B127DAA47CB16AB1F2E9FB7DE3F73E0 | Winhlp.exe | Win32/TrojanDownloader.Donot.J |
79A5B10C5214B1A3D7CA62A58574346C03D54C58 | nprint.exe | Win32/TrojanDownloader.Donot.K |
B427744B2781BC344B96907BF7D68719E65E9DCB | wuaupdt.exe | Win32/TrojanDownloader.Donot.W |
E423A87B9F2A6DB29B3BA03AE7C4C21E5489E069 | lmpss.exe | WinGo/Spy.Donot.B |
F43845843D6E9FB4790BF70F1760843F08D43790 | innod.exe | Win32/Spy.Donot.G |
4FA31531108CC68FF1865E2EB5654F7B3DA8D820 | gedit.exe | Win32/Spy.Donot.G |
Gedit – September 2020
Samples
| SHA-1 | Filename | ESET Detection Name |
|---|---|---|
49E58C6DE5245796AEF992D16A0962541F1DAE0C | lmpss.exe | Win32/Spy.Donot.H |
6F38532CCFB33F921A45E67D84D2796461B5A7D4 | prodot.exe | Win32/TrojanDownloader.Donot.K |
FCFEE44DA272E6EB3FC2C071947DF1180F1A8AE1 | prodot.exe | Win32/TrojanDownloader.Donot.S |
7DDF48AB1CF99990CB61EEAEB3ED06ED8E70A81B | gedit.exe | Win32/TrojanDownloader.Donot.AA |
DBC8FA70DFED7632EA21B9AACA07CC793712BFF3 | disc.exe | Win32/Spy.Donot.I |
CEF05A2DAB41287A495B9413D33F14D94A568C83 | wuaupdt.exe | Win32/Spy.Donot.A |
E7375B4F37ECEA77FDA2CEA1498CFB30A76BACC7 | prodot.exe | Win32/TrojanDownloader.Donot.AA |
771B4BEA921F509FC37016F5FA22890CA3338A65 | apic.dll | Win32/TrojanDownloader.Donot.A |
F74E6C2C0E26997FDB4DD89AA3D8BD5B270637CC | njhy65tg.dll | Win32/TrojanDownloader.Donot.O |
DarkMusical – September 2021
Samples
| SHA-1 | Filename | ESET Detection Name |
|---|---|---|
1917316C854AF9DA9EBDBD4ED4CBADF4FDCFA4CE | rihana.exe | Win32/TrojanDownloader.Donot.G |
6643ACD5B07444D1B2C049BDE61DD66BEB0BD247 | acrobat.dll | Win32/TrojanDownloader.Donot.F |
9185DEFC6F024285092B563EFA69EA410BD6F85B | remember.exe | Win32/TrojanDownloader.Donot.H |
954CFEC261FEF2225ACEA6D47949D87EFF9BAB14 | forbidden.exe | Win32/TrojanDownloader.Donot.I |
7E9A4A13A76CCDEC880618BFF80C397790F3CFF3 | serviceup.exe | Win32/ReverseShell.J |
BF183A1EC4D88034D2AC825278FB084B4CB21EAD | srcot.exe | Win32/Spy.Donot.F |
1FAA4A52AA84EDB6082DEA66F89C05E0F8374C4C | upsvcsu.exe | WinGo/Spy.Donot.A |
2F2EA73B5EAF9F47DCFB7BF454A27A3FBF253A1E | sdudate.exe | Win32/ReverseShell.J |
39F92CBEC05785BF9FF28B7F33906C702F142B90 | ndexid.exe | Win32/Spy.Donot.C |
1352A8394CCCE7491072AAAC9D19ED584E607757 | ndexid.exe | Win32/Spy.Donot.E |
623767BC142814AB28F8EC6590DC031E7965B9CD | ndexid.exe | Win32/Spy.Donot.A |
DarkMusical – June 2021
Samples
| SHA-1 | Filename | ESET Detection Name |
|---|---|---|
BB0C857908AFC878CAEEC3A0DA2CBB0A4FD4EF04 | ertficial.dll | Win32/TrojanDownloader.Donot.X |
6194E0ECA5D494980DF5B9AB5CEA8379665ED46A | ertficial.dll | Win32/TrojanDownloader.Donot.Y |
ACB4DF8708D21A6E269D5E7EE5AFB5168D7E4C70 | msofficedll.dll | Win32/TrojanDownloader.Donot.L |
B38F3515E9B5C8F4FB78AD17C42012E379B9E99A | sccmo.exe | Win32/TrojanDownloader.Donot.M |
60B2ADE3B339DE4ECA9EC3AC1A04BDEFC127B358 | pscmo.exe | Win32/TrojanDownloader.Donot.I |
Henos – February/March 2021
Samples
| SHA-1 | Filename | ESET Detection Name |
|---|---|---|
468A04B358B780C9CC3174E107A8D898DDE4B6DE | Procurement Letter Feb 21.doc | Win32/Exploit.CVE-2017-11882.CP |
9DD042FC83119A02AAB881EDB62C5EA3947BE63E | ctlm.dll | Win32/Spy.Donot.N |
25825268868366A31FA73095B0C5D0B696CD45A2 | stpnaqs.pmt (jptvbh.exe) | Win32/TrojanDownloader.Donot.Z |
540E7338725CBAA2F33966D5C1AE2C34552D4988 | henos.dll | Win32/Spy.Donot.G |
526E5C25140F7A70BA9F643ADA55AE24939D10AE | plaapas.exe | Win32/Spy.Donot.B |
89ED760D544CEFC6082A3649E8079EC87425FE66 | javatemp.exe | Win32/Spy.Donot.G |
9CA5512906D43EB9E5D6319E3C3617182BBF5907 | pytemp.exe | Win32/Spy.Donot.A |
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 