ESET researchers take a deep look into latest assaults carried out by Donot Workforce all through 2020 and 2021, focusing on authorities and army entities in a number of South Asian international locations
Donot Workforce (also referred to as APT-C-35 and SectorE02) is a risk actor working since no less than 2016 and recognized for focusing on organizations and people in South Asia with Home windows and Android malware. A latest report by Amnesty Worldwide hyperlinks the group’s malware to an Indian cybersecurity firm that could be promoting the adware or providing a hackers-for-hire service to governments of the area.
We have now been carefully following the actions of Donot Workforce, and have traced a number of campaigns that leverage Home windows malware derived from the group’s signature yty malware framework. In accordance with our findings, the group may be very persistent and has persistently focused the identical organizations for no less than the final two years.
On this blogpost, we doc two variants of the malware utilized in latest campaigns – DarkMusical and Gedit. For every of the variants, we analyze the entire assault chain and supply perception into how the group updates its instruments, ways, and methods.
Targets
The campaigns of Donot Workforce are motivated by espionage, utilizing their signature malware: the “yty” malware framework, whose principal function is to gather and exfiltrate information. In accordance with our telemetry, Donot Workforce focuses on a small variety of targets in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal – as seen in Determine 1.
Determine 1. International locations focused in latest Donot Workforce campaigns
These assaults are centered on:
Authorities and army organizations
Ministries of Overseas Affairs
Embassies
Going so far as focusing on embassies of those international locations in different areas, such because the Center East, Europe, North America, and Latin America, can also be not outdoors Donot Workforce’s realm.
Strive, attempt, attempt once more
It’s not a rarity for APT operators to aim to regain entry to a compromised community after they’ve been ejected from it. In some instances that is achieved by way of the deployment of a stealthier backdoor that continues to be quiet till the attackers want it; in different instances they merely restart their operation with new malware or a variant of the malware they used beforehand. The latter is the case with Donot Workforce operators, solely that they’re remarkably persistent of their makes an attempt.
In accordance with ESET telemetry, Donot Workforce has been persistently focusing on the identical entities with waves of spearphishing emails with malicious attachments each two to 4 months. Curiously, emails we had been in a position to retrieve and analyze didn’t present indicators of spoofing. Some emails had been despatched from the identical organizations that had been being attacked. It’s potential that the attackers might have compromised the e-mail accounts of a few of their victims in earlier campaigns, or the e-mail server utilized by these organizations.
With spearphishing emails, the attackers use malicious Microsoft Workplace paperwork to deploy their malware. We have now seen Donot Workforce utilizing no less than three methods. One is macros in Phrase, Excel and PowerPoint paperwork, resembling the instance seen in Determine 2.
Determine 2. Malicious macro in a PowerPoint doc that drops a downloader executable and creates a scheduled activity to run it
The second approach is RTF information with .doc extensions that exploit reminiscence corruption vulnerability CVE‑2017‑11882 in Equation Editor, proven in Determine 3. These RTF paperwork additionally include two embedded DLLs as OLE objects (see Determine 4) which are used to put in and obtain additional parts (each DLLs are described within the Gedit part). This enables the attackers to execute shellcode and requires no consumer interplay. The shellcode deploys the principle parts of the malware.
Determine 3. CLSID of the COM object utilized by the RTF doc to load the Equation Editor; the following OLE object incorporates the CVE‑2017‑1182 exploit
Determine 4. The OLE object headers of the DLLs additionally embedded within the RTF doc
The third approach is distant RTF template injection, which permits the attackers to have a payload downloaded from a distant server when the RTF doc is opened. That is achieved by inserting a URL within the elective *template management phrase of the RTF file format, as a substitute of the placement of a neighborhood file useful resource. The payload that Donot Workforce makes use of is one other doc that exploits CVE-2017-11882 and is loaded robotically as soon as it’s downloaded. That is proven in Determine 5.
Determine 5. When Phrase opens an RTF file with a distant template, it robotically makes an attempt to obtain the useful resource
The yty malware framework
Found by NetScout in 2018, the yty malware framework is a much less refined and poorly developed successor to an older framework referred to as EHDevel. The yty framework consists of a sequence of downloaders that in the end obtain a backdoor with minimal performance, used to obtain and execute additional parts of Donot Workforce’s toolset.
These embrace file collectors based mostly on file extension and 12 months of creation, display capturers, keyloggers, reverse shells, and extra. As seen in Determine 6, parts for exfiltration collect the collected intelligence from staging folders and add each file to a delegated server used just for this function.
Determine 6. Part that resolves the folder identify for staging JPEG screenshots (left) and exfiltration part that finds all information within the staging folder (proper)
Staging folder names and areas are modified with nearly each new marketing campaign, in addition to a number of the parts’ filenames. Nonetheless, there are instances during which the names of parts have remained unchanged, for instance: gedit.exe, wuaupdt.exe, lmpss.exe, disc.exe, amongst others. As seen in Determine 7, plainly for each new marketing campaign, so as to set new paths and filenames, these values should be modified within the supply code after which recompiled, as none of those parts use a configuration block or file.
Determine 7. Encrypted strings containing areas and filenames which are commonly modified (high) and unencrypted values utilized in developing the C&C URL (backside)
The malware makes use of scheduled duties for persistence, and alternates between DLL and EXE information between campaigns. Within the case of DLLs, scheduled duties execute rundll32.exe to load them and execute one of many exported capabilities.
The builders of the yty framework primarily depend on the C++ programming language. Seemingly in an try and evade detection, they’ve additionally ported their parts to different languages resembling VBScript, Python (packaged with PyInstaller), Visible C#, and AutoIt, amongst others. Nonetheless, since 2019 we’ve solely seen them leveraging parts programmed in C++ (Determine 8) and Go (Determine 9).
Determine 8. Decompiled code of the part that captures screenshots, initially written in C++
Determine 9. Decompiled code of the part that captures screenshots, for the model written in Go
The malware typically makes use of two or three servers throughout its deployment. It’d use one server throughout its chain of downloaders and a unique server that the backdoor contacts so as to obtain its instructions and obtain additional parts, or use the identical server for each functions. A distinct server is all the time used for the add of collected info. In some assaults Donot Workforce has reused C&C domains from earlier assaults – each for downloads and exfiltration. As seen in Determine 10, Determine 11 and Determine 12, these parts – later described as a variant we observe as DarkMusical – utilized in the identical assault, employed three completely different C&C domains.
Determine 10. The primary downloader decrypts the URL of the server from which it downloads the subsequent stage of the chain
Determine 11. In later levels, the backdoor makes use of a unique server for C&C communications
Determine 12. The exfiltration parts use but a 3rd server to add the collected information
Timeline of assaults
Right here we describe the malware variants utilized in latest Donot Workforce campaigns, with a deal with their Home windows malware, ranging from September 2020 till October 2021. For readability, we’ve separated them into two variants of the yty malware framework: Gedit and DarkMusical, with one particular marketing campaign utilizing Gedit that we named Henos.
In Determine 13, we current a timeline, in keeping with our telemetry, of the assaults. Additionally on our timeline we’ve included assaults from one other variant, generally known as the “Jaca framework”. Nonetheless, we won’t describe it right here because it has been described extensively on this report by CN-SEC.
Determine 13. Timeline of Donot Workforce assaults from September 2020 to October 2021 in keeping with ESET telemetry
DarkMusical
In accordance with ESET telemetry, the primary wave of assaults the place this variant was used occurred in June 2021, focusing on army organizations in Bangladesh. We had been solely in a position to get well its chain of downloaders and its principal backdoor. Given the small variety of victims, we imagine this may need been a extremely focused assault.
In September, a second wave of assaults that focused army organizations in Nepal used new C&C servers and file and staging folder names. We had been in a position to get well various parts downloaded by the backdoor, so we’ve determined to explain these assaults as a substitute.
Spearphishing emails had been despatched with PowerPoint paperwork containing a macro that deploys the primary part of a sequence of downloaders and persists utilizing a scheduled activity. When potential victims open these paperwork, they are going to be offered with a pretend error message, as seen in Determine 14, and the paperwork will stay devoid of any seen content material.
Determine 14. Screenshot of a clean, malicious PowerPoint doc
As seen in Determine 15, the chain of downloaders goals to obtain a last part that works as a backdoor with minimal performance: it downloads standalone parts, executes them utilizing the ShellExecute Home windows API, get and saves new C&C URLs.
The backdoor downloads the parts that deal with the gathering and exfiltration of data to a devoted server. These parts don’t talk with the backdoor or the C&C to report on their actions – reasonably, they use a delegated folder for the staging of the information, and a separate exfiltration part will acquire all the pieces and add it.
Determine 15. Noticed chain of compromise for DarkMusical
We determined to name this marketing campaign DarkMusical due to the names the attackers selected for his or her information and folders: many are western celebrities or characters within the film Excessive College Musical. Desk 1 briefly describes the aim of every of the parts within the chain of compromise.
Desk 1. Parts within the DarkMusical marketing campaign chain of compromise
FilenameDescription
rihana.exeThis executable is dropped by the malicious doc to %publicpercentMusicrihana.exe and persistence established through a scheduled activity referred to as musudt.
Downloads file to %publicpercentMusicacrobat.dll and drops a BAT file to %publicpercentMusicsidilieicaliei.bat.
The BAT file calls schtasks.exe to create the hmomci scheduled activity to execute rundll32.exe %publicpercentMusicacrobat.dll, nikioioeioolla.
acrobat.dllDownloads file and saves it as %publicpercentMusicswift
Moreover, can challenge a systeminfo.exe command whose output is redirected to %publicpercentMusicjustin. The contents of the file are despatched to its C&C server.
Drops and executes the file %publicpercentMusicjanifer.bat that performs a number of duties:
• Creates the folders Troy, Gabriella, and Taylor in %publicpercentMusic with archive, hidden, and system attributes.
• Creates two scheduled duties:
- sccmos to execute %publicpercentMusicTroyforbidden.exe
- msoudatee that executes %publicpercentMusicGabriellaremember.exe
• Strikes the swift file into the Gabriella folder and renames it to keep in mind.exe
• Makes an attempt to delete acrobat.dll and rihana.exe
• Deletes the scheduled duties named hmomci and musudt
• Deletes itself
keep in mind.exeDownloads file to %publicpercentMusicTroyforbidden.exe
forbidden.exeMakes use of the URL saved in %publicpercentMusicTaylorflag file; if there isn’t a URL, it makes use of its default URL.
Accepts three instructions:
• Set URL within the flag file
• Execute file with ShellExecute Home windows API
• Obtain file to %publicpercentMusicTaylor
In Desk 2 we describe the aim of every part of the attacker’s toolset.
Desk 2. Description of parts within the attacker’s toolset for DarkMusical
FilenameDescription
serviceup.exeReverse shells
sdudate.exe
srcot.exeTakes screenshots, saves them to %publicpercentMusicSymphony
Three variants of nDExiD.exeCollects information created in 2021 and after, and copies them to the staging folder %publicpercentMusicSymphony
Collects information by extension: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx
Similar as above, however information will need to have been created in 2020 or after.
File collector that displays insertion of USB drives and modifications inside the file system. Collects the identical paperwork by extension as above, but in addition consists of information with extensions: docm, mbox, pst
upsvcsu.exeExfiltrates collected information.
Enumerates all information in %publicpercentMusicSymphony and uploads those who match the extensions: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx
Gedit
We detected the primary assaults of the marketing campaign utilizing Gedit in September 2020, in opposition to organizations in Pakistan that had already been focused with spearphishing and malicious RTF paperwork that put in the Jaca framework. Since then, Donot Workforce moved on to deal with targets in Bangladesh, Nepal and Sri Lanka. The malware is clearly derived from the yty malware framework, however it’s distinct sufficient to be separated from DarkMusical.
We had been in a position to retrieve a spearphishing e mail equivalent to a Gedit marketing campaign that occurred in February of 2021, which is proven in Determine 16. The primary attachment contained a listing of personnel from a army entity in Bangladesh (and no malicious content material). The second attachment confirmed nothing however a clean web page, whereas executing malicious code.
Determine 16. Screenshot of a spearphishing e mail despatched by the attackers
We are able to see that the dimensions of the second file is larger than 2 MB. It’s an RTF file that exploits CVE-2017-11882 to drop two DLL information contained within the doc and execute certainly one of them. Different parts are downloaded to the compromised pc in varied levels. An summary of this assault chain and its malware parts is proven in Determine 17.
Determine 17. Chain of compromise in Gedit campaigns
The parts had been coded in Go, and C++ (with MinGW and Visible Studio compilers). We have now chosen to explain the parts utilized in that marketing campaign in February 2021, that are proven in Desk 3.
Desk 3. Description of parts for Gedit variant
FilenameDescription
vbtr.dllStrikes the file %TEMPpercentbcs01276.tmp to %USERPROFILEpercentDocumentsmsdn022.dll
Creates a scheduled activity MobUpdate to execute rundll32.exe %USERPROFILEpercentDocumentsmsdn022.dll,iorpiyhduj
msdn022.dllDownloads a file to %APPDATApercentmscx01102 (later renamed to Winhlp.exe).
Writes and executes %APPDATApercentcheck.bat, which:
• Writes <COMPUTERNAME>-<RANDOM_NUMBER> to %USERPROFILEpercentPolicyen-usFileswizard
• Creates the scheduled activity TaskUpdate to execute %USERPROFILEpercentinfboostOOOnprint.exe
• Creates the scheduled activity MachineCore to execute %USERPROFILEpercentCursorSizeDatesWinhlp.exe
Winhlp.exeDownloads a file to %USERPROFILEpercentinfboostOOOnprint.exe (if it doesn’t exist or its measurement is lower than 50 kB).
nprint.exeSends a request to a server and relying on the reply, three actions might be carried out:
• If qwertyuiop is within the reply headers, then a file is downloaded to %USERPROFILEpercentPolicyen-usActive<FILENAME>, the place <FILENAME> can also be learn from the headers
• If asdfghjklzx is within the reply headers, then it tries to execute %USERPROFILEpercentPolicyen-usActivewuaupdt.exe
• If zxcvbnmlkjhgfd is within the reply headers, then it tries to execute %USERPROFILEpercentPolicyen-usActivetest.bat
If a file %USERPROFILEpercentPolicyen-usFileswizard exists, then the URL of the server is retrieved from there and used as a substitute of the one included within the executable.
wuaupdt.exeReverse shell.
lmpss.exeTakes screenshots and saves them, in an infinite loop, to %USERPROFILEpercentRemoteDeskApps
innod.exeFile collector. Iterates recursively by way of drives, logging attention-grabbing information to %USERPROFILEpercentPolicyen-usFilesnohiucf. Information are copied to %USERPROFILEpercentRemoteDeskApps
Seeks information with the extensions: doc, docx, xls, xlsx, ppt, pps, pptx, ppsx, pdf, inp, msg, jpg, jpeg, png, txt
Excludes the next information/folders: ., .., nohiucf, Home windows, Current Locations, Temfile, Program Information, Program Information (x86), ProgramData, Microsoft, Package deal Cache
This part runs in an infinite loop, iterating drives from C: to H:
gedit.exeSends collected information to a server. All information which are in %USERPROFILEpercentRemoteDeskApps are despatched one after the other, unencrypted. There is no such thing as a verify for extension, aside from excluding . and ..
The sufferer identifier that was written to %USERPROFILEpercentPolicyen-usFileswizard is appended to the URL. If the file doesn’t exist, then the default string HeloBSiamabcferss is used as a substitute. Consumer-agent is: If individuals are doubting how far you possibly can go, go thus far which you could not hear them anymore. Michele Ruiz.
It creates a system occasion aaaaaaaaa to make it possible for just one occasion of the part is working at a time.
Henos marketing campaign
Lastly, it’s value mentioning a wave of assaults that occurred between February and March 2021, focusing on army organizations in Bangladesh and Sri Lanka. These assaults used the Gedit variant of the malware, however with some minor modifications. Subsequently, we determined to call this marketing campaign Henos in our timeline, after its backdoor DLL – henos.dll.
Samples belonging to parts of this wave of assaults had been additionally reported on-line in February, which in all probability explains why the group didn’t use the parts once more (see this tweet by Shadow Chaser Group researchers, for instance).
Though we didn’t discover the corresponding spearphishing emails or malicious paperwork, the assault chain is presumably the identical as we described above, with some minor variations in how the parts are executed. An summary of that is proven in Determine 18.
Determine 18. Chain of compromise of the Henos marketing campaign
Whereas a number of the parts of this marketing campaign are named javatemp.exe and pytemp.exe, these filenames had been in all probability solely chosen in an try and mimic respectable software program resembling Java or Python. Whereas pytemp.exe and plaapas.exe had been coded within the Go language, javatemp.exe was coded in C++ (compiled with MinGW).
One last word is that the part that performs exfiltration of information, pytemp.exe, performs a verify to see if gedit.exe is working. If two or extra cases are discovered, it exits. We imagine it is a mistake by the programmers, because it ought to verify for pytemp.exe as a substitute. Nonetheless, this straightforward mistake helps us tie the Henos marketing campaign to the Gedit variant of the malware (added to code similarity).
Conclusion
Donot Workforce makes up for its low sophistication with tenacity. We anticipate that it’s going to proceed to push on no matter its many setbacks. Solely time will inform if the group evolves its present TTPs and malware.
For any inquiries, or to make pattern submissions associated to the topic, contact us at threatintel@eset.com.
Indicators of Compromise (IoCs)
A complete checklist of Indicators of Compromise (IoCs) and samples might be present in our GitHub repository.
Gedit – October 2021
Samples
SHA-1FilenameESET detection identify
78E82F632856F293BDA86D77D02DF97EDBCDE918cdc.dllWin32/TrojanDownloader.Donot.C
D9F439E7D9EE9450CD504D5791FC73DA7C3F7E2Ewbiosr.exeWin32/TrojanDownloader.Donot.D
CF7A56FD0613F63418B9DF3E2D7852FBB687BE3Fvdsc.exeWin32/TrojanDownloader.Donot.E
B2263A6688E512D90629A3A621B2EE003B1B959Ewuaupdt.exeWin32/ReverseShell.J
13B785493145C85B005E96D5029C20ACCFFE50F2gedit.exeWin32/Spy.Donot.A
E2A11F28F9511753698BA5CDBAA70E8141C9DFC3wscs.exeWin32/Spy.Donot.B
F67ABC483EE2114D96A90FA0A39496C42EF050B5gedit.exeWin32/Spy.Donot.B
Community
Obtain servers
https://request.soundedge[.]dwell/entry/nasrzolofuju
https://request.soundedge[.]dwell/entry/birkalirajliruajirjiairuai
https://share.printerjobs[.]xyz/id45sdjscj/<VICTIM_ID>
Exfiltration server
https://submin.seasonsbackup[.]xyz/backup/<VICTIM_ID>
Reverse shell server
Gedit – July 2021
Samples
SHA-1FilenameESET detection identify
A71E70BA6F3CD083D20EDBC83C72AA823F31D7BFhxedit.exeWin32/TrojanDownloader.Donot.N
E101FB116F05B7B69BD2CAAFD744149E540EC6E9lmpss.exeWin64/HackTool.Ligolo.A
89D242E75172C79E2F6FC9B10B83377D940AE649gedit.exeWinGo/Spy.Donot.A
B42FEFE2AB961055EA10D445D9BB0906144647CEgedit.exeWinGo/Spy.Donot.A
B0704492382186D40069264C0488B65BA8222F1Edisc.exeWin32/Spy.Donot.L
1A6FBD2735D3E27ECF7B5DD5FB6A21B153FACFDBdisc.exeWin32/Spy.Donot.A
CEC2A3B121A669435847ADACD214BD0BE833E3ADdisc.exeWin32/Spy.Donot.M
CBC4EC0D89FA7A2AD1B1708C5A36D1E304429203disc.exeWin32/Spy.Donot.A
9371F76527CA924163557C00329BF01F8AD9E8B7gedit.exeWin32/Spy.Donot.J
B427744B2781BC344B96907BF7D68719E65E9DCBwuaupdt.exeWin32/TrojanDownloader.Donot.W
Community
Obtain server
request.submitonline[.]membership/orderme/
Exfiltration servers
oceansurvey[.]membership/add/<VICTIM_ID>
request.soundedge[.]dwell/<COMPUTERNAME>/uload
Reverse shell servers
80.255.3[.]67
37.48.122[.]145
Gedit – February/March 2021
Samples
SHA-1FilenameESET detection identify
A15D011BED98BCE65DB597FFD2D5FDE49D46CFA2BN_Webmail_List 2020.docWin32/Exploit.Agent.UN
6AE606659F8E0E19B69F0CB61EB9A94E66693F35vbtr.dllWin32/Spy.Donot.G
0290ABF0530A2FD2DFB0DE29248BA3CABB58D2ADbcs01276.tmp (msdn022.dll)Win32/TrojanDownloader.Donot.P
66BA21B18B127DAA47CB16AB1F2E9FB7DE3F73E0Winhlp.exeWin32/TrojanDownloader.Donot.J
79A5B10C5214B1A3D7CA62A58574346C03D54C58nprint.exeWin32/TrojanDownloader.Donot.Okay
B427744B2781BC344B96907BF7D68719E65E9DCBwuaupdt.exeWin32/TrojanDownloader.Donot.W
E423A87B9F2A6DB29B3BA03AE7C4C21E5489E069lmpss.exeWinGo/Spy.Donot.B
F43845843D6E9FB4790BF70F1760843F08D43790innod.exeWin32/Spy.Donot.G
4FA31531108CC68FF1865E2EB5654F7B3DA8D820gedit.exeWin32/Spy.Donot.G
Community
Obtain servers
agency.tplinkupdates[.]house/8ujdfuyer8d8f7d98jreerje
agency.tplinkupdates[.]house/yu37hfgde64jskeruqbrgx
house.lovingallupdates[.]life/orderme
Exfiltration server
oceansurvey.membership/add/<VICTIM_ID>
Reverse shell server
Gedit – September 2020
Samples
SHA-1FilenameESET detection identify
49E58C6DE5245796AEF992D16A0962541F1DAE0Clmpss.exeWin32/Spy.Donot.H
6F38532CCFB33F921A45E67D84D2796461B5A7D4prodot.exeWin32/TrojanDownloader.Donot.Okay
FCFEE44DA272E6EB3FC2C071947DF1180F1A8AE1prodot.exeWin32/TrojanDownloader.Donot.S
7DDF48AB1CF99990CB61EEAEB3ED06ED8E70A81Bgedit.exeWin32/TrojanDownloader.Donot.AA
DBC8FA70DFED7632EA21B9AACA07CC793712BFF3disc.exeWin32/Spy.Donot.I
CEF05A2DAB41287A495B9413D33F14D94A568C83wuaupdt.exeWin32/Spy.Donot.A
E7375B4F37ECEA77FDA2CEA1498CFB30A76BACC7prodot.exeWin32/TrojanDownloader.Donot.AA
771B4BEA921F509FC37016F5FA22890CA3338A65apic.dllWin32/TrojanDownloader.Donot.A
F74E6C2C0E26997FDB4DD89AA3D8BD5B270637CCnjhy65tg.dllWin32/TrojanDownloader.Donot.O
Community
Obtain servers
soundvista[.]membership/sessionrequest
soundvista[.]membership/orderme/<VICTIM_ID>
soundvista[.]membership/winuser
Exfiltration server
request.resolverequest[.]dwell/add/<COMPUTERNAME>-<Random_Number>
Reverse shell server
DarkMusical – September 2021
Samples
SHA-1FilenameESET detection identify
1917316C854AF9DA9EBDBD4ED4CBADF4FDCFA4CErihana.exeWin32/TrojanDownloader.Donot.G
6643ACD5B07444D1B2C049BDE61DD66BEB0BD247acrobat.dllWin32/TrojanDownloader.Donot.F
9185DEFC6F024285092B563EFA69EA410BD6F85Bkeep in mind.exeWin32/TrojanDownloader.Donot.H
954CFEC261FEF2225ACEA6D47949D87EFF9BAB14forbidden.exeWin32/TrojanDownloader.Donot.I
7E9A4A13A76CCDEC880618BFF80C397790F3CFF3serviceup.exeWin32/ReverseShell.J
BF183A1EC4D88034D2AC825278FB084B4CB21EADsrcot.exeWin32/Spy.Donot.F
1FAA4A52AA84EDB6082DEA66F89C05E0F8374C4Cupsvcsu.exeWinGo/Spy.Donot.A
2F2EA73B5EAF9F47DCFB7BF454A27A3FBF253A1Esdudate.exeWin32/ReverseShell.J
39F92CBEC05785BF9FF28B7F33906C702F142B90ndexid.exeWin32/Spy.Donot.C
1352A8394CCCE7491072AAAC9D19ED584E607757ndexid.exeWin32/Spy.Donot.E
623767BC142814AB28F8EC6590DC031E7965B9CDndexid.exeWin32/Spy.Donot.A
Community
Obtain servers
digitalresolve[.]dwell/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/ekcvilsrkjiasfjkikiakik
digitalresolve[.]dwell/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/ziuriucjiekuiemoaeukjudjkgfkkj
digitalresolve[.]dwell/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/Sqieilcioelikalik
printersolutions[.]dwell/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/orderme
Exfiltration server
packetbite[.]dwell/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/uload
Reverse shell servers
37.120.198[.]208
51.38.85[.]227
DarkMusical – June 2021
Samples
SHA-1FilenameESET detection identify
BB0C857908AFC878CAEEC3A0DA2CBB0A4FD4EF04
6194E0ECA5D494980DF5B9AB5CEA8379665ED46A
ertficial.dllWin32/TrojanDownloader.Donot.X
ACB4DF8708D21A6E269D5E7EE5AFB5168D7E4C70msofficedll.dllWin32/TrojanDownloader.Donot.L
B38F3515E9B5C8F4FB78AD17C42012E379B9E99Asccmo.exeWin32/TrojanDownloader.Donot.M
60B2ADE3B339DE4ECA9EC3AC1A04BDEFC127B358pscmo.exeWin32/TrojanDownloader.Donot.I
Community
Obtain servers
biteupdates[.]dwell/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/orderme
biteupdates[.]dwell/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/KdkdUe7KmmGFD
biteupdates[.]dwell/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/acdfsgbvdghd
dataupdates[.]dwell/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/DKixeXs44skdqqD
dataupdates[.]dwell/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/BcX21DKixeXs44skdqqD
Henos – February/March 2021
Samples
SHA-1FilenameESET detection identify
468A04B358B780C9CC3174E107A8D898DDE4B6DEProcurement Letter Feb 21.docWin32/Exploit.CVE-2017-11882.CP
9DD042FC83119A02AAB881EDB62C5EA3947BE63Ectlm.dllWin32/Spy.Donot.N
25825268868366A31FA73095B0C5D0B696CD45A2stpnaqs.pmt (jptvbh.exe)Win32/TrojanDownloader.Donot.Z
540E7338725CBAA2F33966D5C1AE2C34552D4988henos.dllWin32/Spy.Donot.G
526E5C25140F7A70BA9F643ADA55AE24939D10AEplaapas.exeWinGo/Spy.Donot.B
89ED760D544CEFC6082A3649E8079EC87425FE66javatemp.exeWin32/Spy.Donot.G
9CA5512906D43EB9E5D6319E3C3617182BBF5907pytemp.exeWinGo/Spy.Donot.A
Community
Obtain servers
information.printerupdates[.]on-line/<USERNAME>/Xddv21SDsxDl
information.printerupdates[.]on-line/<COMPUTERNAME>~<USERNAME>/XddvInXdl
information.printerupdates[.]on-line/<COMPUTERNAME>~<USERNAME>/ZuDDey1eDXUl
information.printerupdates[.]on-line/<COMPUTERNAME>~<USERNAME>/Vyuib45xzlqn
Exfiltration server
https://handle.biteupdates[.]website/<PC_NAME>/uload
MITRE ATT&CK methods
This desk was constructed utilizing model 10 of the ATT&CK framework.
TacticIDNameDescription
Useful resource DevelopmentT1588.005Obtain Capabilities: ExploitsDonot Workforce has used CVE‑2017-11882 exploits to run its first-stage malware.
Preliminary AccessT1566.001Phishing: Spearphishing AttachmentDonot Workforce has despatched spearphishing emails to its victims with malicious Phrase or PowerPoint attachments.
ExecutionT1204.002User Execution: Malicious FileDonot Workforce has lured its victims into opening malicious e mail attachments.
T1059.005Command and Scripting Interpreter: Visible BasicDonot Workforce has used macros contained in Energy Level paperwork.
T1059.003Command and Scripting Interpreter: Home windows Command ShellDonot Workforce has used reverse shells on the system to execute instructions.
T1203Exploitation for Shopper ExecutionDonot Workforce has used CVE-2017-11882 exploits to execute code on the sufferer’s machine.
PersistenceT1053.005Scheduled Job/Job: Scheduled TaskDonot Workforce has created scheduled duties for persistence of its malicious parts.
Protection EvasionT1036.005Masquerading: Match Reliable Identify or LocationDonot Workforce has used filenames resembling pytemp or javatemp to approximate the identify of respectable software program.
DiscoveryT1057Process DiscoveryDonot Workforce has carried out checks for older variations of the malware working on the sufferer’s system.
Lateral MovementT1534Internal SpearphishingDonot Workforce has despatched spearphishing emails to their victims that got here from inside the similar focused group.
CollectionT1005Data from Native SystemDonot Workforce has used malicious modules that traverse the sufferer’s filesystem in search of information with varied extensions.
T1025Data from Detachable MediaDonot Workforce has used a malicious module to repeat information from detachable drives.
T1074.001Data Staged: Native Information StagingDonot Workforce has staged information for exfiltration in a single location, a folder within the sufferer’s pc.
T1113Screen CaptureDonot Workforce has used malicious modules to take screenshots from victims.
Command and ControlT1071.001Application Layer Protocol: Internet ProtocolsDonot Workforce has used HTTP/S for C&C communications and information exfiltration.
ExfiltrationT1048.003Exfiltration Over Various Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolDonot Workforce has used devoted servers for exfiltration, sending the information over HTTP or HTTPS, unencrypted.
