A threat actor with ties to an Indian cybersecurity firm has been attacking military organizations in South Asia for the last three years. Since at least September 2020, the actor has been deploying different variants of its malware framework in Bangladesh, Nepal, and Sri Lanka.
According to a Slovakian security firm ESET, the attackers, who are referred to as the Donot Team, have been sending out spear-phishing emails to targeted organizations.
“Donot Team has been consistently targeting the same entities with waves of spear-phishing emails with malicious attachments every two to four months,” researchers Facundo Muñoz and Matías Porolli said.
Also known as APT-C-35 and SectorE02, the Donot Team is suspected of primarily targeting embassies, governments, and military entities in Bangladesh, Sri Lanka, Pakistan, and Nepal with Windows and Android malware since 2016.
In 2021, Amnesty International released evidence linking the Donot Team’s operations to an Indian cybersecurity company known as Innefu Labs that is possibly selling the spyware or offering a hackers-for-hire to governments in the region.
Unlike most attackers who try to re-establish themselves via backdoors in a previously compromised network, the Donot Team takes a different approach by deploying multiple variants of the same malware.
The team’s first attack method is known as yty, which is a series of intermediary downloaders delivered via weaponized Microsoft Office documents that lead to the execution of a backdoor.
Data collected by ESET revealed that the attackers have been using three different variants of yty since September 2020. These include DarkMusical, Gedit, and Jaca.
Another variant, a modified version of Gedit dubbed Henos, was used in the attacks against military organizations in Sri Lanka and Bangladesh from February to March 2021.
“Donot Team makes up for its low sophistication with tenacity,” the researchers concluded. “We expect that it will continue to push on regardless of its many setbacks. Only time will tell if the group evolves its current TTPs and malware.”