Threat leaders suspected of ties with India have been observed targeting the European Foreign Office using malware that can harvest sensitive data from compromised hosts.
This activity stems from a highly persistent threat (APT) group called the DONOT team, also known as the APT-C-35, Mint Tempest, Origami Elephant, Sector02, and Viceroy Tiger, by the Trellix Advanced Research Center. It has been rated as active since 2016.
“Donot Apt is known for using custom built Windows malware, including backdoors such as Yty and Gedit. It is often delivered via spear phishing emails and malicious documents,” said Trellix researchers Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc and Alex Lanstein.
“This threat group is usually aimed at government agencies, the Ministry of Foreign Affairs, defence organizations, particularly organizations from South Asia and Europe.”
The attack chain is launched with a phishing email intended for recipients to click on the Google Drive link to trigger a download of the RAR archive. This paves the way for the deployment of malware called LoptikMod.
The messages for each TRELLIX come from their Gmail address and are impersonated as defense personnel. This uses a subject line that refers to Italian defence visits to Dhaka, Bangladesh.
“Emails will show attention to detail to improve legitimacy in order to properly display special characters such as “é” in “aitthre” using HTML format in UTF-8 encoding,” noted in the dismantling of the infection sequence.
RAR archives distributed via email contain malicious executables that mimic PDF documents. This causes the execution of the Loptikmod remote access trojan, allowing you to establish host persistence through scheduled tasks, send system information, receive commands, download additional modules, and add data.
It also employs anti-VM technology and ASCII obfuscation to interfere with execution in virtual environments and avoid analysis, making it more difficult to determine the purpose of the tool. Furthermore, this attack ensures that only one instance of malware is running actively on the compromised system to avoid potential interference.
Trellix says the Command and Control (C2) server used in the campaign is currently inactive. This means that the infrastructure was temporarily disabled, stopped working, or threat actors have moved to a completely different server.
The inactive state of the C2 server means that it is currently impossible to determine the exact set of commands sent to the infected endpoint and the type of data sent in response.
“Their operations are characterized by sustained surveillance, data exfoliation and long-term access, suggesting a strong cyberspy motivation,” the researchers said. “While historically it focused on South Asia, this incident targeting the South Asian embassy in Europe shows a clear expansion of their interests in European diplomatic communication and intelligence.”
Source link
