The risk actor often known as DoNot Crew has been linked to using a novel .NET-based backdoor known as Firebird focusing on a handful of victims in Pakistan and Afghanistan.
Cybersecurity firm Kaspersky, which disclosed the findings in its APT tendencies report Q3 2023, mentioned the assault chains are additionally configured to ship a downloader named CSVtyrei, so named for its resemblance to Vtyrei.
“Some code throughout the examples appeared non-functional, hinting at ongoing improvement efforts,” the Russian agency mentioned.
Vtyrei (aka BREEZESUGAR) refers to a first-stage payload and downloader pressure beforehand harnessed by the adversary to ship a malware framework often known as RTY.
DoNot Crew, additionally identified by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its assaults using spear-phishing emails and rogue Android apps to propagate malware.
The most recent evaluation from Kaspersky builds on an evaluation of the risk actor’s twin assault sequences in April 2023 to deploy the Agent K11 and RTY frameworks.
The disclosure additionally follows Zscaler ThreatLabz’s uncovering of latest malicious exercise carried out by the Pakistan-based Clear Tribe (aka APT36) actor focusing on Indian authorities sectors utilizing an up to date malware arsenal that includes a beforehand undocumented Home windows trojan dubbed ElizaRAT.
“ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel by way of Telegram, enabling risk actors to exert full management over the focused endpoint,” safety researcher Sudeep Singh famous final month.
Energetic since 2013, Clear Tribe has utilized credential harvesting and malware distribution assaults, typically distributing trojanized installers of Indian authorities purposes like Kavach multi-factor authentication and weaponizing open-source command-and-control (C2) frameworks corresponding to Mythic.
In an indication that the hacking crew has additionally set its eyes on Linux techniques, Zscaler mentioned it recognized a small set of desktop entry recordsdata that pave the best way for the execution of Python-based ELF binaries, together with GLOBSHELL for file exfiltration and PYSHELLFOX for stealing session information from the Mozilla Firefox browser.
“Linux-based working techniques are broadly used within the Indian authorities sector,” Singh mentioned, including the focusing on of the Linux setting can be probably motivated by India’s choice to switch Microsoft Home windows OS with Maya OS, a Debian Linux-based working system, throughout authorities and protection sectors.
Becoming a member of DoNot Crew and Clear Tribe is one other nation-state actor from the Asia-Pacific area with a give attention to Pakistan.
Codenamed Mysterious Elephant (aka APT-Okay-47), the hacking group has been attributed to a spear-phishing marketing campaign that drops a novel backdoor known as ORPCBackdoor that is able to executing recordsdata and instructions on the sufferer’s laptop, and obtain recordsdata or instructions from a malicious server.
In response to the Knownsec 404 Crew, APT-Okay-47 shares tooling and focusing on overlaps with that of different actors corresponding to SideWinder, Patchwork, Confucius, and Bitter, most of that are assessed to be aligned with India.