Trellix has uncovered a sophisticated spear-phishing assault conducted by the India-linked DoNot APT group, which targeted a European foreign affairs ministry. This article explores the group’s tactics, the LoptikMod malware, and the implications of this cyber espionage for global diplomatic relations.
The DoNot APT group, also recognized as APT-C-35 and Mint Tempest, has launched a significant cyber campaign against a European foreign affairs ministry. This attack, investigated by the Trellix Advanced Research Centre, marks a notable expansion of the group’s activities, which have previously focused primarily on South Asia.
Since its emergence in 2016, the DoNot APT group has posed a persistent threat, particularly targeting governmental, military, and diplomatic entities. While the group has historically concentrated on South Asian geopolitical interests and has been linked to Indian operations by various cybersecurity firms, this recent incident indicates a widening of their geographical scope into Europe.
In identifying this campaign, Trellix’s researchers intercepted the initial email communications, allowing for an in-depth analysis of the techniques employed in the attack. The attackers used a deceptive spear-phishing strategy, impersonating European defense officials to lure their targets. This method reflects a calculated attempt to gain the recipients’ trust.
The spear-phishing emails referenced an official visit to Bangladesh and included a malicious link hosted on Google Drive, designed to entice victims into clicking. Utilizing commonly-used cloud services for malware distribution demonstrates the attackers’ adaptability and sophistication.
The operation proceeded through several methodical steps, with the first phishing email sent from a Gmail account, featuring a subject line seemingly related to diplomatic activities: “Italian Defence Attaché Visit to Dhaka, Bangladesh.” The attackers ensured their email displayed proper character encoding to lend an air of authenticity, illustrating their attention to detail.
Victims who clicked the malicious link downloaded a RAR archive titled ‘SyClrLtr.rar,’ which contained an executable file disguised as a PDF. Upon execution, the malware initiated a batch file and established persistence by creating a scheduled task to run every ten minutes, ensuring its continued activity on the infected systems.
The malware utilized in this operation is known as LoptikMod, which has been associated with the DoNot APT group since 2018. It is capable of gathering various system details, including CPU model, operating system information, and user credentials. This data is encrypted and sent to a command and control server, enabling the attackers to maintain a communication channel and potentially exfiltrate sensitive information. Apart from LoptikMod, the group also deploys other custom-built malware tools, including backdoors like YTY and GEdit.
This targeting of a European foreign affairs ministry underscores the DoNot APT group’s relentless pursuit of sensitive information and its growing operational reach. Attacks on diplomatic entities serve as classic espionage tactics, aiming to secure unauthorized access to classified communications and intelligence documents. In light of these threats, organizations, particularly those involved in government and diplomacy, are strongly encouraged to bolster their cybersecurity measures. This includes enhancing email security protocols, conducting rigorous network traffic analysis, and implementing robust endpoint detection and response systems to defend against evolving cyber threats.
