Firebird Backdoor

The threat group identified as DoNot Team has been associated with the deployment of an innovative .NET-based backdoor known as Firebird. This backdoor has been utilized to target a small number of victims located in Pakistan and Afghanistan.

Cybersecurity researchers have identified that these attacks are set up to deploy a downloader called CSVtyrei, a name derived from its similarities to Vtyrei. Vtyrei, also known as BREEZESUGAR, denotes an initial-stage payload and downloader variant previously used by the adversary to distribute a malicious framework called RTY.

DoNot Team is an Active Cybercrime Threat Actor

DoNot Team, also known as APT-C-35, Origami Elephant, and SECTOR02, is an Advanced Persistent Threat (APT) group believed to have affiliations with the Indian government. This group has been active since at least 2016, and there is a possibility that its formation predates this period.

The primary objective of DoNot Team appears to be espionage in support of the Indian government's interests. Cybersecurity researchers have observed multiple campaigns carried out by this group with this specific goal in mind.

While DoNot Team's initial known attack targeted a telecommunications company in Norway, its focus primarily revolves around espionage in South Asia. Their main area of interest is the Kashmir region, given the ongoing Kashmir Conflict. This dispute has persisted for a long time, with both India and Pakistan claiming sovereignty over the entire region, even though they each control only a portion. Diplomatic efforts to reach a lasting resolution to this issue have so far proven unsuccessful.

DoNot Team primarily targets entities associated with governments, ministries of foreign affairs, military organizations and embassies in its operations.

Firebird Backdoor is a New Threatening Tool Deployed by the DoNot Team

An extensive examination has revealed the presence of a new .NET-based backdoor referred to as Firebird. This backdoor consists of a primary loader and a minimum of three plugins. Notably, all analyzed samples exhibited strong protection through ConfuserEx, leading to an extremely low detection rate. Additionally, certain sections of the code within the samples appeared non-operational, suggesting ongoing development activities.

The South Asia Region Is a Hotbed for Cybercrime Activities

Malicious activities have been observed involving the Pakistan-based Transparent Tribe, also known as APT36, targeting sectors within the Indian government. They have employed an updated malware arsenal, which includes a previously undocumented Windows trojan named ElizaRAT.

Transparent Tribe, operational since 2013, has engaged in credential harvesting and malware distribution attacks. They often distribute trojanized installers of Indian government applications like Kavach multi-factor authentication. Additionally, they've leveraged open-source command-and-control (C2) frameworks, such as Mythic.

Notably, Transparent Tribe has expanded its focus to Linux systems. Researchers have identified a limited number of desktop entry files that facilitate the execution of Python-based ELF binaries, including GLOBSHELL for file exfiltration and PYSHELLFOX for extracting session data from the Mozilla Firefox browser. Linux-based operating systems are prevalent within the Indian government sector.

In addition to DoNot Team and Transparent Tribe, another nation-state actor from the Asia-Pacific region has emerged with a particular interest in Pakistan. This actor, known as Mysterious Elephant or APT-K-47, has been linked to a spear-phishing campaign. This campaign deploys a novel backdoor called ORPCBackdoor, which has the capability to execute files and commands on the victim's computer and communicate with a malicious server to send or receive files and commands.