A threat actor suspected to be linked to India has recently targeted a European foreign affairs ministry using sophisticated malware designed to extract sensitive information from compromised systems. This development, attributed to an advanced persistent threat (APT) group known as DoNot Team, marks an alarming escalation in their operations which have been observed since 2016.
According to researchers from Trellix Advanced Research Center, the group operates under various aliases, including APT-C-35 and Mint Tempest, and is notorious for utilizing custom-built malware, such as backdoors like YTY and GEdit. These tools are often delivered through spear-phishing campaigns targeting government entities, NGOs, and defense organizations, particularly in South Asia and Europe. Trellix researchers remark on the group’s targeted approach, showcasing the alarming sophistication of their tactics.
The modus operandi of this attack commenced with crafted phishing emails purporting to be from defense officials. The emails, containing links to a Google Drive, lured recipients into downloading a malicious RAR archive leading to the deployment of a malware variant dubbed LoptikMod. This malware, which has been in use since 2018, is specifically employed by the DoNot Team for establishing remote access to infected machines, with capabilities to exfiltrate data and execute commands remotely.
The RAR archive disguises a malicious executable mimicking a PDF document, which, upon opening, unleashes the LoptikMod remote access trojan. This trojan can persist on the host system through scheduled tasks and is capable of communicating with a command-and-control (C2) server to dispatch system information and receive operational commands. Unfortunately, Trellix has reported that the current state of the C2 server remains inactive, indicating potential obfuscation by the threat actors.
The activity of the DoNot APT highlights their continuous efforts towards persistent surveillance and a strategic focus on data exfiltration aimed at espionage. The expansion into European diplomatic systems signifies a worrying shift in their operational interests, potentially jeopardizing both national security and international diplomatic relations.