DoNot Team Linked to New Tanzeem Android Malware Aimed at Intelligence Gathering

The threat group known as DoNot Team is associated with a new Android malware linked to highly targeted cyber attacks. The malware, identified as Tanzeem (meaning “organization” in Urdu) and its update variant, was discovered by cybersecurity firm Cyfirma in October and December 2024. These applications share nearly identical functionalities, with only slight user interface changes. Cyfirma’s Friday analysis pointed out, “While designed as a chat application, it fails to operate after installation, crashing once the required permissions are granted.” The app’s name indicates a focus on targeting specific individuals or groups both domestically and internationally. DoNot Team, also known as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is a hacking group believed to originate from India, notorious for utilizing spear-phishing emails and various Android malware strains in their attacks.

DoNot Team Linked to Emerging Tanzeem Android Malware Targeting Intelligence Gathering

January 20, 2025

In a notable development in the cyber threat landscape, the hacking group known as DoNot Team has been associated with a new strain of Android malware. This malware, identified as Tanzeem, which translates to “organization” in Urdu, is part of a series of sophisticated cyber operations that seem focused on intelligence collection. The cybersecurity firm Cyfirma first detected these malicious artifacts in late 2024, specifically in October and December.

The Tanzeem applications, which also include an update version, share similar functionalities, with only slight variations in their user interfaces. According to Cyfirma’s analysis, while the apps are marketed as chat applications, they fail to function as intended. After the user grants the necessary permissions, the applications abruptly shut down, indicating a potential ruse aimed at collecting sensitive information rather than facilitating legitimate communication.

The primary targets of this malware appear to be specific individuals or groups, both domestically and internationally, suggesting a strategic focus on high-value intelligence assets. The implication is that the DoNot Team is pursuing individuals whose data could offer advantages to their operational objectives.

DoNot Team, which has also been tracked under names such as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is believed to operate from India. This group has a history of employing spear-phishing techniques alongside various malware strains, including those targeting the Android platform. Their activities illustrate a clear pattern of initiating access through deceptive means, which aligns with techniques documented in the MITRE ATT&CK framework.

The tactics likely employed in this instance could include initial access methods, achieved through phishing or social engineering strategies. Following this, the persistence of the malware on the infected device might suggest techniques for maintaining footholds within compromised systems. Additionally, possible privilege escalation tactics could enable the attackers to gain more control over the infected devices, augmenting their ability to harvest sensitive data.

As cyber threats continue to evolve, the emergence of Tanzeem serves as a stark reminder for business owners and organizational leaders to remain vigilant. The risks associated with mobile malware, particularly from sophisticated groups like DoNot Team, necessitate robust cybersecurity measures and employee training to mitigate the potential impacts of such targeted attacks. Awareness and preparedness are critical in defending against the increasing complexity of cyber threats that leverage social engineering and advanced malware to exploit vulnerabilities.

Source link

Related Posts

PNGPlug Loader Distributes ValleyRAT Malware via Deceptive Software Installers

January 21, 2025
Cyber Attack / Windows Security

Cybersecurity experts are raising alarms about a series of cyber attacks targeting Chinese-speaking regions, including Hong Kong, Taiwan, and Mainland China, involving the notorious ValleyRAT malware. According to a technical report by Intezer published last week, these attacks utilize a multi-stage loader known as PNGPlug to deliver the ValleyRAT payload. The infection process starts with a phishing page designed to lure victims into downloading a malicious Microsoft Installer (MSI) disguised as legitimate software. Once executed, the installer presents a harmless application to evade detection while covertly extracting an encrypted archive that contains the malware. The MSI package exploits the Windows Installer’s CustomAction feature, allowing it to run malicious code, including an embedded DLL that decrypts the archive (all.zip) using a hardcoded password, ‘hello202411’, to release the core malware components.

Title: Trump Administration Axes DHS Advisory Committee Memberships, Impacting Cybersecurity Oversight

January 23, 2025
Cybersecurity / National Security

The new Trump administration has dissolved all memberships of advisory committees under the Department of Homeland Security (DHS). In a memo dated January 20, 2025, Acting Secretary Benjamine C. Huffman stated, “In line with DHS’s commitment to resource efficiency and prioritizing national security, I am directing the immediate termination of all existing advisory committee memberships. Future committee initiatives will be solely focused on enhancing our mission to safeguard the homeland and align with DHS’s strategic objectives.” This decision affects members of the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Safety Review Board (CSRB), which recently criticized Microsoft for a series of preventable mistakes that allowed its infrastructure to be exploited by a China-based threat actor.

E.U. Imposes Sanctions on 3 Russian Nationals for Cyberattacks Against Estonia’s Key Government Ministries

Jan 28, 2025 – Cybersecurity / Cyber Espionage

The Council of the European Union has sanctioned three Russian nationals for their involvement in “malicious cyber activities” targeting Estonia. The individuals—Nikolay Alexandrovich Korchagin, Vitaly Shevchenko, and Yuriy Fedorovich Denisov—are identified as officers of the Russian Armed Forces’ GRU Unit 29155. According to the council’s decision, these individuals are responsible for cyberattacks aimed at compromising the computer systems of various Estonian institutions to gather intelligence on the country’s cyber security policies.

These cyber intrusions provided unauthorized access to classified and sensitive information within several government ministries, including Economic Affairs and Communications, Social Affairs, and Foreign Affairs, resulting in the theft of thousands of confidential documents, including business secrets and proprietary data.