Rewterz Threat Alert – APT-C-35 aka Donot Team – Active IOCs

Severity

High

Analysis Summary

APT-C-35 (also known as “Donot APT Group”) is a cyber espionage group that has been active since at least 2013. The group is known for conducting cyber espionage and intellectual property theft, targeting government and military organizations, as well as companies in the aerospace, defense, and high-tech industries. Their activities have been observed in several countries, including the United States, Europe, and Asia.

They previously targeted Pakistani users with android malware named (StealJob) which was used to target Pakistani android mobile users by Phishing under the name of “Kashmiri Voice”. The attackers hunt for confidential information and intellectual property. The hackers’ targets include countries in South Asia, in particular, the state sector of Pakistan. Also, in July 2022, the threat actor of this APT group used Comodo’s certificate to sign its spyware. The group is known for using a variety of tactics, techniques, and procedures (TTPs) in their attacks, which include the use of spear-phishing emails, malware, and custom-developed tools. Donot APT group is known to be a well-funded and well-resourced group, with a high level of technical skill. They are also known to use techniques to evade detection, such as using encryption and fileless malware.

Recently, It appears that the DoNot APT group is targeting individuals in South Asia using Android malware. The group seems to be using third-party file-sharing websites, as well as potentially their own file-sharing online platform, as a delivery mechanism for their malware.

The malware samples were disguised as chatting apps with names like “Ten Messenger.apk” and “Link Chat QQ.apk”. It is possible that the group is using these names to make the malware appear more legitimate and to increase the chances that victims will download and install it.

It is important for organizations to be aware of the threat posed by Donot APT group and to take steps to protect themselves from their attacks. This includes implementing security best practices, such as regular software updates and patching, and providing employee training on how to spot and avoid phishing emails. Additionally, organizations should also consider implementing security tools such as intrusion detection and prevention systems (IDPS), endpoint protection platforms (EPP), and advanced threat intelligence (ATI) to detect and respond to Donot APT group’s activities.

Impact

• Information Theft and Espionage

Indicators of Compromise

MD5

• 7f6a5d1215340f5609a389d455ead4fc
• e8baefc676684b57274d78899e1795fd
• 036e7cdd93bea1816d48351efd576f7b

SHA-256

• ab91d1a041d0188c89fa718a6b1ba31755e4d93942a5bebc2438a0e58fe9090b
• e3aabd0ae05142ccf638e5db50bfc86c0d1de3df3be60287581b9beaca271206
• f2fd006c36717368774672be578417e402f23acda07411fa1123c060aeb2a905

SHA-1

• b57e732d56964b4144edda3644a8a61eb3960cd7
• 33ca539dafb9a20afac62c8bff1a41838970e569
• fc93d8a200e7241a981036d1063a2ce8886b3fc3

URL

http://forum.winidowtech.info/

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.