Key Takeaways
- Cyble Analysis and Intelligence Labs (CRIL) got here throughout a marketing campaign Linked to the identified APT group DONOT, concentrating on the manufacturing trade that helps the nation’s maritime and protection sectors.
- The marketing campaign makes use of a malicious LNK file disguised as an RTF containing encrypted information. The file is decrypted by way of PowerShell to ship a lure RTF and payload.
- A scheduled process is then created to make sure the malware runs each 5 minutes for persistence.
- Random domains are generated with hardcoded phrases and TLDs for backup C&C servers.
- The encryption technique for C&C communication has modified in comparison with earlier campaigns.
- The stager malware communicates with the C&C server utilizing AES encryption and Base64 encoding to evade detection.
- The decryption key for the second-stage payload is now within the downloaded binary relatively than hardcoded within the config file.
- The sufferer’s system info is collected earlier than delivering the ultimate payload to evaluate the goal’s worth.
- The stager malware makes use of atmosphere variables to retailer crucial configuration particulars, like C&C addresses and process info.
Overview
CRIL just lately got here throughout a marketing campaign seemingly aimed toward Pakistan’s manufacturing trade, which helps the nation’s maritime and protection sectors. After analyzing the information concerned within the marketing campaign, it was decided that the assault was linked to the identified APT group DONOT.
DoNot, often known as APT-C-35, is an Superior Persistent Menace (APT) group working since 2016. This group has a historical past of concentrating on authorities and army entities, in addition to international affairs ministries and embassies throughout South Asia.
On this latest marketing campaign, the Menace Actor (TA) makes use of the .LNK file because the preliminary an infection vector, which might arrive inside a RAR archive by way of spam e mail. The .LNK file is disguised as an RTF file, main customers to imagine they’re opening a reputable file.
When the person clicks to execute, it triggers cmd.exe and powershell.exe to run extra malicious instructions, loading the stager malware (a DLL file) and establishing persistence by making a scheduled process to execute the DLL file by rundll32.exe. Additionally, it communicates with the first C&C server by sending a singular system ID by way of a POST request and, in response, receives management instructions from the TA to direct its subsequent actions.
These actions embody self-destruction, deployment of extra malicious payloads by downloading an encrypted payload from a specified URL, and subsequent execution. To evade detection and complicate evaluation, the malware employs a special encryption technique as a substitute of the single-byte XOR key utilized in earlier campaigns. The determine beneath reveals the an infection chain.
This “.LNK” file marketing campaign was first recognized by StrikeReady Labs, who reported it on the X platform. A related marketing campaign was additionally seen in July 2024, concentrating on Pakistan’s Authorities companies and manufacturing industries utilizing sector-specific lures. Within the earlier marketing campaign, the TA employed malicious Workplace information with embedded macros and Wealthy Textual content Format (RTF) information that exploit vulnerabilities to load the stager DLL onto sufferer machines.
When evaluating the earlier campaigns, the preliminary an infection vector has shifted from Microsoft Workplace information to .LNK information. Moreover, the stager DLL now employs an enhanced payload supply technique and improved C&C communication, incorporating encryption mechanisms at numerous levels.
Technical Evaluation
The malicious “.LNK” file accommodates PowerShell instructions, an encrypted lure RTF file, and the encrypted stager payload. Upon execution, the “.LNK” file initiates “cmd.exe,” which creates a listing within the “%temp%” path and copies “powershell.exe” to this location as “2SqSxDA2.exe.” The newly copied PowerShell course of subsequently executes the PowerShell code embedded within the LNK file. The determine beneath reveals the partial content material of the LNK file.
PowerShell Code
The PowerShell command embedded throughout the “.LNK” file retrieves each a lure file and a DLL from the “.LNK” itself. It identifies the “.LNK” file primarily based on its file dimension and listing path, then decrypts the lure RTF file and the DLL file utilizing a single-byte XOR operation with “0xB2.” Decryption begins at offset “0x1774” for the lure file and “0x79AF” for the DLL.
These extracted information are saved within the “%temppercent7GGVXwRn” listing. As soon as extraction is full, the PowerShell command deletes the PowerShell copy “2SqSxDA2.exe,” opens the lure doc, and calls “rundll32.exe” to execute the DLL, invoking the export operate “HgCallClient.”
Lure Doc
The lure doc is said to Karachi Shipyard & Engineering Works (KS&EW), a outstanding protection contractor and shipbuilding firm in Pakistan. This means that the TA is concentrating on industries supporting the protection sector. The determine beneath reveals the lure doc.
DLL file evaluation
Upon execution, the DLL begins extracting configuration particulars from an embedded JSON file. This configuration consists of info such because the configuration filename, atmosphere variable title, server area, transit keys for safe communication, mutex, and user-agent string. The desk beneath reveals the configuration particulars.
| Filed Title | Worth |
| ConfigFileName | Config.json |
| EnvVarTaskName | PFTN |
| HMAC_Security | j4fhrJpSqvgE |
| MachineMutex | 5734b817-1bb8-402b-a761-da8f2e188baf |
| ServerDomain | hxxps://internalfileserver[.]on-line:443/ |
| TransitKey | tTRxrb0kmbQGpdci |
| TransitSalt | aWrtRHXuEBy6CwXj |
| userAgent | Mozilla/5.0 (Home windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 |
| BackupServerURL | hxxps://safehydratedcloudcosmoswebglobe[.]cc/ |
| PrimaryServerUrl | hxxps://internalfileserver[.]on-line:443/ |
| FirstTaskName | Schedule |
| TaskDefinition | This service permits a person to configure and schedule automated duties on this pc. It additionally hosts a number of Home windows system-critical duties. If this service is stopped or disabled, these duties won’t be run at their scheduled instances, and any companies that explicitly rely upon it should fail to begin. |
Random area technology
The BackupServerURL talked about within the config file is generated by deciding on six values from a hardcoded array of phrases and concatenating them to create a website. A TLD is then chosen from a separate array of TLD values. This randomly generated area serves as a backup for Command and Management (C&C) communication. The determine beneath reveals the listing of accessible phrases used for producing random domains.
Persistence
After extracting the configuration particulars, the DLL checks for the presence of a selected scheduled process named “Schedule.” If the duty will not be discovered, it creates a brand new process to execute the DLL by way of “rundll32.exe” each 5 minutes for in the future, as proven within the determine beneath.
After establishing persistence, the DLL sends a POST request to the first server URL. This request consists of headers resembling an HMAC (Hash-based Message Authentication Code) generated from the HTTP technique, contact URL, present DateTime, and an HMAC secret key, together with an “X-Timestamp.” The request physique accommodates the distinctive DeviceID and configuration filename, encrypted utilizing a hardcoded AES transit key and salt, then base64 encoded earlier than being despatched to the C&C main URL. This encryption technique marks a comparatively new method on this marketing campaign in comparison with earlier ones noticed.
If the C&C server responds with a standing code of 200, the response content material accommodates JSON configuration information, which is decrypted utilizing the identical AES transit key and IV. The decrypted information consists of the next particulars:
- DownloadURL
- FileDropEnvironment
- FileDropName
- ExportFunctionName
- TaskName
- Self_Destruction (boolean)
- Execution (boolean)
The decrypted JSON configuration information permits the TA to manage key elements of the malware’s habits, resembling downloading extra payloads, specifying file areas, and configuring execution choices. This permits flexibility to regulate the assault as wanted.
Subsequent Stage payload Execution
If the TA intends to execute a further payload, the encrypted payload is downloaded in keeping with the C&C configuration. It’s then decrypted utilizing an XOR key discovered throughout the encrypted file, simply after a sequence of magic bytes, and processed utilizing the XOR round-robin technique, as proven in Determine 10. This course of differs from a earlier marketing campaign the place the encrypted information was fetched from a URL, and the decryption key was supplied immediately within the C&C configuration, as proven in Determine 11.
As soon as decryption is profitable, the information is verified as a sound binary by checking for the presence of the string “This program can’t be run in DOS mode”. The decrypted payload is then positioned within the listing specified by the “FileDropEnvironment” variable.
After verifying the binary, the stager malware creates a scheduled process to execute the decrypted binary utilizing “rundll32.exe”. The duty title and execution interval are specified within the configuration particulars supplied by the TA by way of the C&C.
In case of a decryption failure, the stager malware updates the configuration with the backup server URL and logs the error message “File corruption whereas decrypting” It additionally collects detailed system info, resembling disk area and put in safety merchandise, to assist determine the reason for the decryption failure. This info is then despatched to the TA by way of POST request.
In case of profitable payload deployment by the scheduled process, the stager malware logs the occasion in the identical method because it does for a failure, with the one distinction being that the result’s recorded as “Payload Deployment Profitable.” This log additionally accommodates detailed system info, serving to the TA determine potential targets in case of success and detect safety options in case of failure. The TA collects and logs all related particulars, whatever the final result, and sends the data to the TA’s C&C by way of POST request.
The stager malware sometimes shops information, together with the variety of makes an attempt to speak with the C&C, the first C&C area title, the final connection date, the backup area title, and particulars of the second-stage payload. These values are saved as encrypted entries within the atmosphere variables, as proven within the desk beneath.
| Variable Title | Worth | Decrypted worth |
| NFC (Not Discovered Rely) | iOJDUU+oq2I1wQwfdYl98w== | 2 |
| PDN (Main Area Title) | ehdXQoPR9RjVlJYUWq+tIkQkazp1KhA1+59IGAXaXL94XRvH8aNbs9pv3e6PLCKK | hxxps://internalfileserver[.]on-line:443/ |
| LCD (Final Test Date) | vKXaygaagiZygkd7/Ok+uvQ== | 11-11-2024 |
| BDN (Backup Area Title) | “tc6rjFyW2AVO6pu2y/c/Vg626iQ+S/FHqYIGBpIejquLjQJwMxVv/r6q44XNnInvBJPP86CLYx9qKJ0lMfryxQ==” | hxxps://floridacloudcyberhydratedfloridatech[.]on-line/ |
Throughout our testing, the C&C server was unavailable, stopping us from receiving a response. In consequence, we had been unable to watch or analyze the habits of the next-stage DLL payload, which might have been triggered by communication with the C&C server. With out this significant interplay, we couldn’t totally perceive how the payload executes or what additional actions it’d take.
Self-Deletion
If the TA prompts the self-destruction command by way of C&C, the stager malware removes the scheduled process and initiates self-deletion by executing the “DEL” command by “cmd.exe”. The picture beneath illustrates the self-deletion course of.
Menace Actor Attribution
The malicious DLL connects to the C&C server “internalfileserver[.]on-line,” which resolves to the IP deal with “94[.]141.120[.]137.” This similar IP deal with beforehand hosted the area “office-updatecentral[.]com,” which was utilized by the DoNot APT group in a previous marketing campaign. Additionally, the ways, strategies, and procedures (TTPs) noticed on this marketing campaign exhibit related habits to these reported by the 360 Menace Intelligence Centre.
Conclusion
This DoNot APT marketing campaign reveals an evolution in ways. It makes use of malicious LNK information, PowerShell for payload supply, and scheduled duties for persistence. The group additionally employs dynamic area technology for backup C&C servers and has up to date its encryption strategies to keep away from detection.
The shift in how decryption keys are dealt with and the gathering of system info earlier than payload supply point out a extra refined method. These adjustments spotlight the rising complexity of APT campaigns and the necessity for improved detection and protection methods.
Menace looking Packages
The risk looking package deal, together with YARA and Sigma guidelines able to detecting this marketing campaign, might be downloaded from the linked GitHub pages.
Suggestions
- Deploy sturdy EDR options to observe uncommon PowerShell exercise, scheduled process creation, and suspicious community connections to C&C servers. Guarantee these instruments are configured to flag and alert on anomalies.
- Restrict the execution of PowerShell and different scripting instruments to obligatory customers solely and implement least privilege insurance policies to forestall malware from escalating privileges and performing malicious actions.
- Conduct frequent audits of scheduled duties to determine any uncommon or unauthorized duties, notably these involving rundll32.exe. Guarantee solely trusted functions are allowed to create or execute scheduled duties.
- Implement behavior-based detection methods that may determine malicious actions, resembling frequent makes an attempt to contact C&C servers or surprising encrypted information being transmitted.
- Implement a well-defined incident response plan with clear steps to deal with potential APT intrusions. This plan ought to embody fast identification, containment, and restoration from any detected malicious exercise.
- Conduct common cybersecurity consciousness coaching for workers, specializing in figuring out phishing emails and dealing with suspicious attachments to scale back the danger of preliminary an infection.
MITRE ATT&CK® Strategies
| Tactic | Method | Process |
| Preliminary Entry (TA0001) | Phishing (T1566) | This marketing campaign is prone to attain customers by spam emails. |
| Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | PowerShell instructions are used to decrypt and execute the lure RTF file and stager DLL payload. |
| Execution (TA0002) | Command and Scripting Interpreter: Home windows Command Shell (T1059.003) | Cmd.exe is used to repeat PowerShell.exe to the %temp% listing as “2SqSxDA2.exe”. |
| Protection Evasion (TA0005) | System Binary Proxy Execution: Rundll32 (T1218.011) | Rundll32.exe is used to execute the stager payload. |
| Persistence (TA0003) | Scheduled Job/Job: Scheduled Job (T1053.005) | A scheduled process is created for persistence, operating the DLL payload usually by way of rundll32.exe. |
| Protection Evasion (TA0005) | Indicator Elimination on Host: File Deletion (T1070.004) | Momentary PowerShell.exe file (“2SqSxDA2.exe”) is deleted after executing the malicious instructions. |
| Protection Evasion (TA0005) | Obfuscated Information or Info (T1027) | XOR and AES encryption mechanisms are utilized in numerous levels of the assault |
| Command and Management (TA0011) | Utility Layer Protocol: Internet Protocols (T1071.001) | GET and POST requests are despatched to the Menace Actor’s C&C server. |
| Command and Management (TA0011) | Distant File Copy (T1105) | The extra payload is downloaded from the C&C server utilizing a URL supplied within the configuration. |
| Exfiltration (TA0010) | Exfiltration Over C2 Channel (T1041) | In depth system info is collected and exfiltrated to the C&C server by way of encrypted communication. |
Indicators of Compromise
| Indicator | Indicator Kind | Feedback |
| cffe7eb01000de809b79a711702eaf3773f2e6167ce440f33f30bcd6fabcace3 | SHA-256 | Proc listing 2024.lnk |
| a7893c54edaecaa0e56010576a8249ad9149456f5d379868a0ecaa4c5c33fa70 | SHA-256 | CertPropOrigin.dll |
| Internalfileserver[.]on-line | area | C&C server |
References:
https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA
https://twitter.com/StrikeReadyLabs/standing/1852532673283268899
https://twitter.com/suyog41/standing/1814230027560501248
Associated
