A threat actor with suspected ties to India has been observed targeting a European foreign affairs ministry with malware capable of harvesting sensitive data from compromised hosts.
The activity has been attributed by Trellix Advanced Research Center to an advanced persistent threat (APT) group called DoNot Team, which is also known as APT-C-35, Mint Tempest, Origami Elephant, SECTOR02, and Viceroy Tiger. It’s been assessed to be active since 2016.
“DoNot APT is known for using custom-built Windows malware, including backdoors like YTY and GEdit, often delivered through spear-phishing emails or malicious documents,” Trellix researchers Aniket Choukde, Aparna Aripirala, Alisha Kadam, Akhil Reddy, Pham Duy Phuc, and Alex Lanstein said.
“This threat group typically targets government entities, foreign ministries, defense organizations, and NGOs especially those in South Asia and Europe.”
The attack chain commences with phishing emails that aim to trick recipients into clicking on a Google Drive link to trigger the download of a RAR archive, which then paves the way for the deployment of a malware dubbed LoptikMod, which is exclusively put to use by the group as far back as 2018.
The messages, per Trellix, originate from a Gmail address and impersonate defense officials, with a subject line that references an Italian Defense Attaché’s visit to Dhaka, Bangladesh.
“The email used HTML formatting with UTF-8 encoding to properly display special characters like ‘é’ in ‘Attaché,’ demonstrating attention to detail to increase legitimacy,” Trellix noted in its deconstruction of the infection sequence.
The RAR archive distributed via the emails contains a malicious executable that mimics a PDF document, opening which causes the execution of the LoptikMod remote access trojan that can establish persistence on the host via scheduled tasks and connect to a remote server to send system information, receive further commands, download additional modules, and exfiltrate data.
It also employs anti-VM techniques and ASCII obfuscation to hinder execution in virtual environments and evade analysis, thereby making it a lot more challenging to determine the tool’s purpose. Furthermore, the attack makes sure that only one instance of the malware is actively running on the compromised system to avoid potential interference.
Trellix said the command-and-control (C2) server used in the campaign is currently inactive, meaning the infrastructure has been either temporarily disabled or no longer functional, or that the threat actors have moved to a completely different server.
The inactive state of the C2 server also means that it’s currently not feasible to determine the exact set of commands that are transmitted to infected endpoints and the kinds of data that are sent back as responses.
“Their operations are marked by persistent surveillance, data exfiltration, and long-term access, suggesting a strong cyber espionage motive,” the researchers said. “While historically focused on South Asia, this incident targeting South Asian embassies in Europe, indicates a clear expansion of their interests towards European diplomatic communications and intelligence.”
