The danger actor regarded as DoNot Staff has been linked to the use of a novel .NET-based backdoor known as Firebird concentrating on a handful of victims in Pakistan and Afghanistan.
Cybersecurity organization Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to provide a downloader named CSVtyrei, so named for its resemblance to Vtyrei.
“Some code within the examples appeared non-functional, hinting at ongoing growth endeavours,” the Russian organization mentioned.
Vtyrei (aka BREEZESUGAR) refers to a to start with-stage payload and downloader pressure beforehand harnessed by the adversary to provide a malware framework recognized as RTY.
DoNot Group, also regarded by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its assaults utilizing spear-phishing emails and rogue Android apps to propagate malware.
The latest evaluation from Kaspersky builds on an investigation of the threat actor’s twin attack sequences in April 2023 to deploy the Agent K11 and RTY frameworks.
The disclosure also follows Zscaler ThreatLabz’s uncovering of new malicious action carried out by the Pakistan-dependent Clear Tribe (aka APT36) actor focusing on Indian government sectors working with an up-to-date malware arsenal that comprises a formerly undocumented Windows trojan dubbed ElizaRAT.
“ElizaRAT is shipped as a .NET binary and establishes a C2 communication channel through Telegram, enabling menace actors to exert complete handle more than the specific endpoint,” security researcher Sudeep Singh pointed out final month.
Active due to the fact 2013, Clear Tribe has utilized credential harvesting and malware distribution attacks, frequently distributing trojanized installers of Indian governing administration programs like Kavach multi-factor authentication and weaponizing open-source command-and-management (C2) frameworks this kind of as Mythic.
In a sign that the hacking crew has also set its eyes on Linux units, Zscaler claimed it determined a small set of desktop entry information that pave the way for the execution of Python-dependent ELF binaries, such as GLOBSHELL for file exfiltration and PYSHELLFOX for thieving session data from the Mozilla Firefox browser.
“Linux-based working systems are greatly applied in the Indian govt sector,” Singh mentioned, incorporating the focusing on of the Linux natural environment is also possible determined by India’s decision to change Microsoft Windows OS with Maya OS, a Debian Linux-based working method, across authorities and defense sectors.
Joining DoNot Team and Clear Tribe is an additional nation-state actor from the Asia-Pacific region with a focus on Pakistan.
Codenamed Mysterious Elephant (aka APT-K-47), the hacking team has been attributed to a spear-phishing marketing campaign that drops a novel backdoor identified as ORPCBackdoor that is capable of executing data files and instructions on the victim’s computer system, and obtain documents or instructions from a malicious server.
According to the Knownsec 404 Staff, APT-K-47 shares tooling and targeting overlaps with that of other actors these as SideWinder, Patchwork, Confucius, and Bitter, most of which are assessed to be aligned with India.
Found this article fascinating? Observe us on Twitter and LinkedIn to read more unique articles we write-up.
Some parts of this article are sourced from:
thehackernews.com