Trellix reveals how the India-linked DoNot APT group launched a classy spear-phishing assault on a European overseas affairs ministry. Find out about their techniques, the LoptikMod malware, and why this cyber espionage marketing campaign issues for international diplomacy.
A complicated marketing campaign by the infamous DoNot APT group, additionally identified by names like APT-C-35 and Mint Tempest, has just lately focused a European overseas affairs ministry. This assault, uncovered by the Trellix Superior Analysis Centre, highlights the group’s increasing attain past its conventional give attention to South Asia.
Lively since at the least 2016, the DoNot APT group is a persistent risk, primarily identified for concentrating on authorities, army, and diplomatic organisations. This group is believed to function with a give attention to South Asian geopolitical pursuits and has been attributed by a number of distributors to have hyperlinks to India. This latest incident, nevertheless, reveals a broadening of their operations into Europe.
Trellix’s researchers had been in a position to determine this marketing campaign by blocking the preliminary electronic mail chain, which allowed them to analyse the assault’s Ways, Methods, and Procedures (TTPs). Reportedly, the attackers employed a extremely misleading spear-phishing tactic, impersonating European defence officers.
These malicious emails, which talked about a go to to Bangladesh, aimed to trick targets into clicking on a dangerous Google Drive hyperlink. This methodology of utilizing frequent cloud providers for preliminary an infection showcases the group’s adaptability of their strategy.
The assault unfolded in a number of calculated steps. The preliminary spear-phishing electronic mail originated from a Gmail deal with (int.dte.afd.1@gmailcom). It featured a topic line associated to diplomatic actions, particularly “Italian Defence Attaché Go to to Dhaka, Bangladesh.” The attackers even used HTML formatting with UTF-8 encoding to correctly show particular characters like “é” in “Attaché,” signifying consideration to element to extend legitimacy.
Upon clicking the Google Drive hyperlink, victims downloaded a malicious RAR archive named ‘SyClrLtr.rar,’ containing an executable file disguised as a PDF (notflog.exe). It deployed a batch file and established persistence, which means the malware would stay lively by a scheduled job set to run each 10 minutes.
The malware concerned on this marketing campaign is LoptikMod, a instrument solely related to the DoNot APT group since 2018. This malware gathers system particulars resembling CPU mannequin, working system info, username, and hostname.
This info is then encrypted and despatched to a command and management (C2) server, which permits the attackers to keep up communication and doubtlessly exfiltrate delicate information. It’s price noting that past LoptikMod, the DoNot APT group additionally makes use of custom-built Home windows malware, together with backdoors like YTY and GEdit.
The concentrating on of a European overseas affairs ministry highlights the group’s unwavering curiosity in gathering delicate info and its rising international attain. Such assaults on diplomatic entities are basic examples of espionage operations, aiming to achieve unauthorised entry to categorised state communications, coverage paperwork, and intelligence stories.
Organisations, significantly these in authorities and diplomacy, are, therefore, urged to reinforce their cybersecurity measures, together with stronger electronic mail safety, community site visitors evaluation, and endpoint detection and response (EDR) options, to defend in opposition to these evolving threats.
