After installation, the apps request dangerous permissions that enable attackers to:

• Access call logs and fetch call history.
• Read contact lists.
• Control file storage, including deleting and moving files.
• Read SMS to monitor messages.
• Track GPS location for real-time monitoring.
• Access user accounts, including usernames and email addresses.

Additionally, the apps connect to command-and-control (C2) servers via hidden URLs, granting attackers remote access to infected devices. A significant innovation in this campaign is the use of push notifications to deliver additional malware, enhancing the malware's persistence and evasion capabilities.

Researchers underscores the DONOT APT group's history of intelligence-gathering operations in South Asia. The group, believed to support Indian national interests, has consistently targeted sensitive organizations and individuals in the region. This latest campaign demonstrates their evolving tactics, particularly the integration of push notifications to spread malware and maintain access to compromised devices.

The report highlights the ongoing threat posed by the DONOT APT group, emphasizing their relentless efforts to infiltrate targets and collect intelligence. Researchers warns the organizations and individuals in South Asia to remain vigilant and adopt stringent security measures to mitigate the risk of such advanced malware campaigns. The findings serve as a reminder of the growing sophistication of cyber threats in the region.

Impact

• Data Exposure
• Cyber Espionage
• Reputational Damage
• Unauthorized Gain Access
• Sensitive Information Theft

Indicators of Compromise

Domain Name

• toolgpt.buzz

• updash.info

• solarradiationneutron.appspot.com

• saturn789454.appspot.com

MD5

• 150bff0aaf52f2c30b7c1e9fd7b2a10a

SHA-256

• 8689d59aac223219e0fdb7886be289a9536817eb6711089b5dd099a1e580f8e4

SHA1

• 893e96b3266691702b65246bce9d705e6b6a5766

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your antivirus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zerodays.
• Enable antivirus and antimalware software and update signature definitions on time. Using multilayered protection is necessary to secure vulnerable assets.
• Enforce strong password policies across the organization. Encourage the use of complex passwords and enable multifactor authentication (MFA) wherever possible to add an extra layer of security.
• Deploy reliable endpoint protection solutions that include antivirus, antimalware, and host-based intrusion prevention systems (HIPS) to detect and block malicious activities.
• Utilize web filtering and content inspection tools to block access to malicious websites and prevent users from downloading malicious files.
• Deploy IDPS solutions to detect and block suspicious network traffic and intrusions.
• Conduct regular vulnerability assessments and penetration testing to identify weaknesses in the network infrastructure and address them before they are exploited by attackers.
• Continuously monitor network traffic and security logs for any signs of suspicious activities. Stay updated on the latest threat intelligence to understand the tactics, techniques, and procedures (TTPs) employed by the Sidewinder APT group and other threat actors.