A persistent threat actor, suspected to have ties to an Indian cybersecurity firm, has been actively attacking military organizations in South Asia since at least September 2020. The targeted nations include Bangladesh, Nepal, and Sri Lanka, with various iterations of their specialized malware framework used in each assault.
According to Slovakia-based cybersecurity firm ESET, the group behind these attacks is identified as the Donot Team. Researchers Facundo Muñoz and Matías Porolli noted that the group frequently employs spear-phishing techniques, sending malicious emails with attachments to the same entities every two to four months.
Donot Team, recognized as APT-C-35 and SectorE02, has reportedly been operating since 2016. The group has predominantly targeted embassies and military entities across Bangladesh, Sri Lanka, Pakistan, and Nepal, utilizing both Windows and Android malware.
In a significant discovery by Amnesty International in October 2021, evidence linked the group’s operational framework to an Indian cybersecurity company. This revelation raised concerns that the group might be either selling spyware or providing hacking services for hire to governments within the region.
While many Advanced Persistent Threat (APT) groups tend to re-target previously compromised networks through stealthy backdoors, Donot Team has adopted a contrasting strategy. This group frequently deploys multiple variants of existing malware within its arsenal, making it more challenging for victims to defend against the attacks.
The group’s attacks typically involve weaponized Microsoft Office documents, utilizing a malicious framework referred to as “yty.” This framework serves as a chain of intermediate downloaders, ultimately executing a backdoor that facilitates the retrieval of additional components capable of file harvesting, keystroke logging, taking screenshots, and establishing reverse shells for remote access.
Recent telemetry has indicated the emergence of new malware variants named DarkMusical and Gedit, with the initial wave of DarkMusical attacks recorded in June 2021. Notably, Gedit-related activities have been tracked back to September 2020, only to intensify in subsequent months. A related set of attacks, targeting military organizations in Bangladesh and Sri Lanka between February and March 2021, utilized a modified version of Gedit dubbed Henos.
Researchers have noted that Donot Team compensates for its lower sophistication with unmatched perseverance. They anticipate that the group will persist despite facing numerous setbacks. The evolution of its tactics, techniques, and procedures (TTPs) remains to be seen, as the cybersecurity landscape continues to evolve in response to such persistent threats.
