The threat actor identified as DoNot Workforce has been linked to the use of a novel .NET-based mostly backdoor named Firebird targeting a handful of victims in Pakistan and Afghanistan.
Cybersecurity enterprise Kaspersky, which disclosed the results in its APT tendencies report Q3 2023, explained the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.
“Some code inside the examples appeared non-purposeful, hinting at ongoing development initiatives,” the Russian firm explained.
Vtyrei (aka BREEZESUGAR) refers to a first-phase payload and downloader strain previously harnessed by the adversary to supply a malware framework acknowledged as RTY.
DoNot Team, also identified by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its attacks employing spear-phishing e-mail and rogue Android applications to propagate malware.
The hottest assessment from Kaspersky builds on an investigation of the menace actor’s twin attack sequences in April 2023 to deploy the Agent K11 and RTY frameworks.
The disclosure also follows Zscaler ThreatLabz’s uncovering of new malicious action carried out by the Pakistan-dependent Transparent Tribe (aka APT36) actor concentrating on Indian government sectors making use of an up-to-date malware arsenal that contains a beforehand undocumented Windows trojan dubbed ElizaRAT.
“ElizaRAT is sent as a .NET binary and establishes a C2 interaction channel by using Telegram, enabling danger actors to exert complete handle above the targeted endpoint,” security researcher Sudeep Singh pointed out past thirty day period.
Lively given that 2013, Clear Tribe has used credential harvesting and malware distribution attacks, frequently distributing trojanized installers of Indian federal government applications like Kavach multi-factor authentication and weaponizing open up-source command-and-control (C2) frameworks these as Mythic.
In a indication that the hacking crew has also established its eyes on Linux programs, Zscaler said it identified a little established of desktop entry files that pave the way for the execution of Python-primarily based ELF binaries, which includes GLOBSHELL for file exfiltration and PYSHELLFOX for thieving session details from the Mozilla Firefox browser.
“Linux-centered operating systems are broadly used in the Indian governing administration sector,” Singh reported, including the concentrating on of the Linux environment is also likely inspired by India’s decision to swap Microsoft Windows OS with Maya OS, a Debian Linux-based working system, across government and protection sectors.
Becoming a member of DoNot Group and Transparent Tribe is another nation-condition actor from the Asia-Pacific region with a aim on Pakistan.
Codenamed Mysterious Elephant (aka APT-K-47), the hacking group has been attributed to a spear-phishing marketing campaign that drops a novel backdoor known as ORPCBackdoor which is capable of executing documents and instructions on the victim’s pc, and acquire information or commands from a destructive server.
In accordance to the Knownsec 404 Workforce, APT-K-47 shares tooling and concentrating on overlaps with that of other actors this sort of as SideWinder, Patchwork, Confucius, and Bitter, most of which are assessed to be aligned with India.
Uncovered this report fascinating? Adhere to us on Twitter and LinkedIn to study much more exceptional content material we article.
Some elements of this article are sourced from: