The menace actor referred to as DoNot Staff has been linked to using a novel .NET-based backdoor known as Firebird focusing on a handful of victims in Pakistan and Afghanistan.
Cybersecurity firm Kaspersky, which disclosed the findings in its APT traits report Q3 2023, mentioned the assault chains are additionally configured to ship a downloader named CSVtyrei, so named for its resemblance to Vtyrei.
“Some code throughout the examples appeared non-functional, hinting at ongoing growth efforts,” the Russian agency mentioned.
Vtyrei (aka BREEZESUGAR) refers to a first-stage payload and downloader pressure beforehand harnessed by the adversary to ship a malware framework referred to as RTY.
DoNot Staff, additionally identified by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its assaults using spear-phishing emails and rogue Android apps to propagate malware.
The most recent evaluation from Kaspersky builds on an evaluation of the menace actor’s twin assault sequences in April 2023 to deploy the Agent K11 and RTY frameworks.
The disclosure additionally follows Zscaler ThreatLabz’s uncovering of recent malicious exercise carried out by the Pakistan-based Clear Tribe (aka APT36) actor focusing on Indian authorities sectors utilizing an up to date malware arsenal that includes a beforehand undocumented Home windows trojan dubbed ElizaRAT.
“ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel by way of Telegram, enabling menace actors to exert full management over the focused endpoint,” safety researcher Sudeep Singh famous final month.
Lively since 2013, Clear Tribe has utilized credential harvesting and malware distribution assaults, typically distributing trojanized installers of Indian authorities functions like Kavach multi-factor authentication and weaponizing open-source command-and-control (C2) frameworks equivalent to Mythic.
In an indication that the hacking crew has additionally set its eyes on Linux methods, Zscaler mentioned it recognized a small set of desktop entry information that pave the way in which for the execution of Python-based ELF binaries, together with GLOBSHELL for file exfiltration and PYSHELLFOX for stealing session knowledge from the Mozilla Firefox browser.
“Linux-based working methods are extensively used within the Indian authorities sector,” Singh mentioned, including the focusing on of the Linux surroundings can also be doubtless motivated by India’s resolution to switch Microsoft Home windows OS with Maya OS, a Debian Linux-based working system, throughout authorities and protection sectors.
Becoming a member of DoNot Staff and Clear Tribe is one other nation-state actor from the Asia-Pacific area with a deal with Pakistan.
Codenamed Mysterious Elephant (aka APT-Ok-47), the hacking group has been attributed to a spear-phishing marketing campaign that drops a novel backdoor known as ORPCBackdoor that is able to executing information and instructions on the sufferer’s pc, and obtain information or instructions from a malicious server.
In response to the Knownsec 404 Staff, APT-Ok-47 shares tooling and focusing on overlaps with that of different actors equivalent to SideWinder, Patchwork, Confucius, and Bitter, most of that are assessed to be aligned with India.
