Trellix reveals how the India-linked DoNot APT group launched a classy spear-phishing assault on a European overseas affairs ministry. Find out about their ways, the LoptikMod malware, and why this cyber espionage marketing campaign issues for world diplomacy.
A complicated marketing campaign by the infamous DoNot APT group, additionally recognized by names like APT-C-35 and Mint Tempest, has just lately focused a European overseas affairs ministry. This assault, uncovered by the Trellix Superior Analysis Centre, highlights the group’s increasing attain past its conventional give attention to South Asia.
Energetic since no less than 2016, the DoNot APT group is a persistent menace, primarily recognized for concentrating on authorities, navy, and diplomatic organisations. This group is believed to function with a give attention to South Asian geopolitical pursuits and has been attributed by a number of distributors to have hyperlinks to India. This latest incident, nonetheless, reveals a broadening of their operations into Europe.
Trellix’s researchers had been in a position to establish this marketing campaign by blocking the preliminary e mail chain, which allowed them to analyse the assault’s Techniques, Strategies, and Procedures (TTPs). Reportedly, the attackers employed a extremely misleading spear-phishing tactic, impersonating European defence officers.
These malicious emails, which talked about a go to to Bangladesh, aimed to trick targets into clicking on a dangerous Google Drive hyperlink. This technique of utilizing widespread cloud providers for preliminary an infection showcases the group’s adaptability of their method.
The assault unfolded in a number of calculated steps. The preliminary spear-phishing e mail originated from a Gmail tackle (int.dte.afd.1@gmailcom). It featured a topic line associated to diplomatic actions, particularly “Italian Defence Attaché Go to to Dhaka, Bangladesh.” The attackers even used HTML formatting with UTF-8 encoding to correctly show particular characters like “é” in “Attaché,” signifying consideration to element to extend legitimacy.
Upon clicking the Google Drive hyperlink, victims downloaded a malicious RAR archive named ‘SyClrLtr.rar,’ containing an executable file disguised as a PDF (notflog.exe). It deployed a batch file and established persistence, which means the malware would stay lively by means of a scheduled activity set to run each 10 minutes.
The malware concerned on this marketing campaign is LoptikMod, a device solely related to the DoNot APT group since 2018. This malware gathers system particulars reminiscent of CPU mannequin, working system info, username, and hostname.
This info is then encrypted and despatched to a command and management (C2) server, which permits the attackers to take care of communication and probably exfiltrate delicate knowledge. It’s value noting that past LoptikMod, the DoNot APT group additionally makes use of custom-built Home windows malware, together with backdoors like YTY and GEdit.
The concentrating on of a European overseas affairs ministry highlights the group’s unwavering curiosity in gathering delicate info and its growing world attain. Such assaults on diplomatic entities are basic examples of espionage operations, aiming to realize unauthorised entry to labeled state communications, coverage paperwork, and intelligence studies.
Organisations, notably these in authorities and diplomacy, are, therefore, urged to boost their cybersecurity measures, together with stronger e mail safety, community visitors evaluation, and endpoint detection and response (EDR) options, to defend towards these evolving threats.
