Last Updated on 23/01/2022 by Nidhi Khandelwal
Since at least September 2020, a threat actor with possible ties to an Indian cybersecurity firm has been launching attacks against military groups in South Asia, including Bangladesh, Nepal, and Sri Lanka, using several variants of its proprietary malware architecture.
The highly focused attack was ascribed to a hacking gang known as Donor Team, according to ESET, a Slovak cybersecurity firm. “Every two to four months, the Donut Team has been sending waves of spear-phishing emails with malware files to the same businesses,” researchers Facundo Muoz and Matas Porolli claimed.
Don’T Team (also known as APT-C-35 and SectorE02) has been linked to a spate of incursions in Bangladesh, Sri Lanka, Pakistan, and Nepal, especially targeting embassies, governments, and military organizations with Windows and Android malware since at least 2016.
Amnesty International discovered evidence linking the threat actor’s assault infrastructure to an Indian cybersecurity firm called Innefu Labs in October 2021, creating concerns that the threat actor may be selling malware or offering a hackers-for-hire service to governments in the region.
While it’s customary for APT organizations to re-attack a previously penetrated network by installing more stealthy backdoors to hide their tracks, Donot Team takes a different approach by releasing several variations of the malware it already has.
The so-called yty malware framework is a chain of intermediary downloaders that culminates in the execution of a backdoor, which takes care of retrieving additional components capable of harvesting files, recording keystrokes and screenshots, and deploying reverse shells for remote access. It is delivered via weaponized Microsoft Office documents.
DarkMusical and Gedit are the latest yty variants, according to ESET, with telemetry data indicating attacks by a third variation called Jaca from March to July 2021. According to reports, the first wave of DarkMusical attacks began in June 2021, with Gedit-related campaigns beginning in September 2020 and picking up speed a year later.
Furthermore, a modified version of Gedit called Henos was used in a fourth round of assaults targeting military organisations in Bangladesh and Sri Lanka between February and March 2021.