The DoNot Team APT (aka APT-C-35) is back with new tricks and tactics added to its kit. The actors have been active since 2016 and are known for targeted attacks against individuals and organizations in South Asia. 

DoNot Team introduces new modules

  • Morphisec Labs researchers have reported that the group has added new modules to its Windows spyware framework aka YTY, Jaca. These latest samples appear to be used in the wild. 
  • The new modules are a browser stealer component and a new shellcode loader component that analyzes a new DLL variant of the reverse shell.
  • The browser stealer component can steal information such as login credentials and history from Google Chrome and Mozilla Firefox. 

New infection process observed

  • A new infection chain that introduces the new modules to the Windows framework has also been observed by researchers. 
  • The group was found using RTF documents and targeted government departments in the latest spear-phishing email campaign. 
  • These RTF documents, when opened, fetch a malicious remote template from the C2 server by sending an HTTP GET request.
  • When a remote template is injected, it lures the victim to enable malicious macros that are later used for injecting a reverse shell module. 

Defending against threats like APT-C-35

Defending against APTs such as the DoNot team requires an in-depth defense strategy that uses multiple layers of security. Since the group targets critical security gaps that only a few organizations may have plugged in, it is recommended to implement technologies such as network firewalls, EDR, and XDR to detect anomalies at the entry stage and patch the gap in the runtime.
Cyware Publisher