DoNot APT

DoNot, also known in the infosec community as APT-C-35 and SectorE02, is an Advanced Persistent Threat (APT) group of hackers whose activities can be traced several years back all the way to 2012. During that period, the group has expanded its operations to include a wide range of targets spanning several continents - Bangladesh, Thailand, Sri Lanka, the Philippines, Argentina, the United Arab Emirates and Great Britain. Right from the start, their main focus has remained on the South Asia region and Pakistan, India, and the Kashmir crisis, more specifically. 

The group's main specialization is to conduct cyberespionage and data theft. The DoNot APT uses a threatening arsenal comprised of its own malware tool creations. Most campaigns involve a complex attach chain that involves several loaders and goes through multiple stages before the delivery of the final malware payload. The DoNot hackers also have displayed an ability to innovate and improve their malware tools, constantly equipping them with new functionalities or taking advantage of more sophisticated techniques.

In most of its attacks, the DoNot APT hackers use Command-and-Control (C2, C&C) servers rented from DigitalOcean, LLC (ASN 14061) and located in Amsterdam. For each new domain name, a newly allocated host is being reserved.

Complex Attack Chaing Involving Custom Malware

While not conclusive, there is enough circumstantial evidence that the group's initial compromise vector is the dissemination of phishing emails carrying MS Word documents in Office Open XML format. The initial document is not threatening, but it abuses the autoloading functionality of external elements to initiate the next stage of the attack chain.

Several loaders are dropped onto the compromised system during the process, each tasked with a different objective. For example, in a specific campaign, the Serviceflow.exe Trojan acted as a watchdog collecting and storing the following information - user and computer name, OS version, processor details, \Program Files and \Program Files (86)\ content details. It also is responsible for downloading and deploying the A64.dll and sinter.exe files. Sinter is another Trojan, but its functionality is different significantly. It informs the threat actors about the current infection by sending a request to a specific URL while also exfiltrating the information collected about the compromised system to 'skillsnew[.]top.' The information is intended to help the hackers determine if the target is worthy of further exploitation.

Constant Development Of Malware Tools

The DoNot APT has demonstrated on numerous occasions its continued focus on iteration and improvement. The efforts can easily be seen in different loader versions employed by the group. In the earlier versions, before mid-2018, all of the used strings were stored in cleartext, while in the subsequent versions, various level of encryption had started to be introduced:

• May 2018 - encoded with Base64
• April 2019 - double Base64 encoding
• January 2019 - encryption with the AES algorithm in CBS mode followed by Base64 encoding. 
• June 2019 - symbol-by-symbol circular subtraction with the set array of bytes, encode with UTF-8, and followed by Base64 encoding
• October 2019 - symbol-by-symbol circular modified XOR with the set array of bytes, followed by double Base64 encoding

In the latest observed operation conducted by the DoNot APT, the group deployed a new Android malware loader named Firestarter Trojan. The malware threat was designed to abuse a legitimate service called Firebase Cloud Messaging (FCM), provided by a subsidiary of Google. The service represents a cross-platform cloud solution for messages and notifications for Android, iOS and other Web applications.

The Firestarter loader exploited FCM as a communication method with its C2 servers. The use of an effectual service makes the detection of the abnormal traffic that much harder, as it is blended with the other normal communications being generated.