The DoNot Advanced Persistent Threat (APT) group, also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger, has been active since at least 2016. This group is believed to have ties to Indian state interests and has primarily focused on cyber espionage activities targeting government entities, foreign ministries, defense organizations, and non-governmental organizations (NGOs) in South Asia and Europe.
In a recent campaign, the DoNot APT group targeted a European foreign affairs ministry using a sophisticated malware known as LoptikMod. This malware is designed to harvest sensitive data from compromised systems, establish persistence, and facilitate long-term surveillance.
Attack Methodology:
The attack began with phishing emails sent from a Gmail address impersonating defense officials. The subject line referenced an Italian Defense Attaché’s visit to Dhaka, Bangladesh, adding a layer of credibility to the message. The emails contained a link to a Google Drive file, which, when accessed, downloaded a RAR archive. This archive included a malicious executable disguised as a PDF document.
Upon execution, the LoptikMod malware was deployed. This remote access trojan (RAT) is capable of:
– Establishing persistence on the host system through scheduled tasks.
– Connecting to a remote command-and-control (C2) server to send system information.
– Receiving further commands from the attackers.
– Downloading additional malicious modules.
– Exfiltrating sensitive data.
To evade detection and analysis, LoptikMod employs several techniques:
– Anti-VM Techniques: The malware detects virtual environments to prevent execution in sandboxed settings, hindering analysis.
– ASCII Obfuscation: Obfuscates its code to make it more challenging for security tools to identify and analyze its behavior.
– Single Instance Execution: Ensures that only one instance of the malware runs at a time to avoid detection and interference.
Command-and-Control Infrastructure:
The C2 server associated with this campaign was inactive at the time of analysis. This inactivity suggests that the infrastructure may have been temporarily disabled, decommissioned, or the threat actors have migrated to a different server. As a result, the exact commands issued to infected systems and the specific data exfiltrated remain undetermined.
Implications and Recommendations:
The DoNot APT group’s expansion into targeting European diplomatic entities indicates a broadening of their espionage activities beyond South Asia. Their operations are characterized by persistent surveillance, data exfiltration, and maintaining long-term access to compromised systems, underscoring a strong cyber espionage motive.
To mitigate the risks posed by such sophisticated threat actors, organizations should implement the following measures:
1. Enhanced Email Security: Deploy advanced email filtering solutions to detect and block phishing attempts.
2. User Training: Conduct regular cybersecurity awareness programs to educate staff on recognizing phishing emails and other social engineering tactics.
3. Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor and respond to suspicious activities on endpoints.
4. Regular Software Updates: Ensure all systems and software are up-to-date with the latest security patches to prevent exploitation of known vulnerabilities.
5. Network Segmentation: Implement network segmentation to limit the spread of malware within the organization.
6. Incident Response Plan: Develop and regularly update an incident response plan to quickly address and mitigate security breaches.
By adopting a comprehensive and proactive cybersecurity strategy, organizations can better defend against advanced persistent threats like the DoNot APT group.
