The don’t team the threat actor updated their Jaca Windows Malware Toolkit with improved functionality, including a revamped theft module designed to plunder information from Google Chrome and Mozilla Firefox browsers.
The improvements also include a new infection chain that integrates previously undocumented components into the modular framework, Morphisec researchers Hido Cohen and Arnold Osipov disclosed in a report published last week.
Also known as APT-C-35 and Viceroy Tiger, the Donot team is known to have set their sights on defence, diplomatic, government and military entities in India, Pakistan, Sri Lanka and the Bangladesh, among others at least since 2016.
Evidence uncovered by Amnesty International in October 2021 linked the group’s attack infrastructure to an Indian cybersecurity company called Innefu Labs.
Spear phishing campaigns containing malicious Microsoft Office documents are the preferred delivery route for malware, followed by exploiting macros and other known vulnerabilities in productivity software to launch the backdoor.
Morphisec’s latest findings build on an earlier report by cybersecurity firm ESET, which detailed adversary intrusions against military organizations based in South Asia using multiple versions of its yty malware framework, including Jaca. .
This involves the use of RTF documents that trick users into enabling macros, which results in the execution of a memory-injected piece of shellcode which, in turn, is orchestrated to download second-stage shellcode from from its command-and-control (C2) server.
The second stage then acts as a conduit to retrieve a DLL file (“pgixedfxglmjirdc.dll” from another remote server, which starts the actual infection by reporting system information to the C2 server, establishing persistence via a task scheduled and retrieving the DLL from the next step (“WavemsMp.dll”).
“The main purpose of this step is to download and execute modules used to steal user information,” the researchers noted. “To understand which modules are used in the current infection, the malware communicates with another C2 server.”
The C2 domain, meanwhile, is obtained by accessing an embedded link that points to a Google Drive document, allowing the malware access to a configuration that dictates which modules to download and run.
These modules extend the malware’s functionality and collect a wide range of data such as keystrokes, screenshots, files, and information stored in web browsers. Also, part of the toolset is a reverse shell module that grants the actor remote access to the victim machine.
This development is another sign that threat actors are actively adapting their tactics and techniques that are most effective in obtaining the initial infection and maintaining remote access for long periods of time.
“Defending against APTs like the Donot team requires a defense-in-depth strategy that uses multiple layers of security to provide redundancy in the event of a breach at any given layer,” the researchers said.
#DoNot #Team #Hackers #Updated #AntiMalware #Toolkit #Improved #Capabilities