www.welivesecurity.com Open in urlscan Pro
2a02:26f0:4700::210:211 Public Scan

Back to summary

URL:
https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/
Submission: On November 11 via api (November 11th 2022, 7:25:13 am UTC) from DE — Scanned from DE

Form analysis
5 forms found in the DOM

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc  col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="TOPIC" value="We Live Security Ukraine Newsletter">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class="button-flag"> Submit </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="NEWSLETTER" value="We Live Security">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class=""> Submit </button>
  </div>
</form>

Text Content

In English
* Em Português
* En français
* En Español
* In Deutsch

Menu toggle menu

* All Posts
* Ukraine Crisis – Digital Security Resource Center
* We Live Progress
* Research
* How To
* Videos
* Conference Materials
* White Papers
* Threat Reports
* Our Experts

* Em Português
* En français
* En Español
* In Deutsch

Award-winning news, views, and insight from the ESET security community

DONOT GO! DO NOT RESPAWN!

ESET researchers take a deep look into recent attacks carried out by Donot Team
throughout 2020 and 2021, targeting government and military entities in several
South Asian countries
Facundo Muñoz
Matías Porolli
18 Jan 2022 - 11:30AM
Share

ESET researchers take a deep look into recent attacks carried out by Donot Team
throughout 2020 and 2021, targeting government and military entities in several
South Asian countries

Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating
since at least 2016 and known for targeting organizations and individuals in
South Asia with Windows and Android malware. A recent report by Amnesty
International links the group’s malware to an Indian cybersecurity company that
may be selling the spyware or offering a hackers-for-hire service to governments
of the region.

We have been closely following the activities of Donot Team, and have traced
several campaigns that leverage Windows malware derived from the group’s
signature yty malware framework. According to our findings, the group is very
persistent and has consistently targeted the same organizations for at least the
last two years.

In this blogpost, we document two variants of the malware used in recent
campaigns – DarkMusical and Gedit. For each of the variants, we analyze the
whole attack chain and provide insight into how the group updates its tools,
tactics, and techniques.

TARGETS

The campaigns of Donot Team are motivated by espionage, using their signature
malware: the “yty” malware framework, whose main purpose is to collect and
exfiltrate data. According to our telemetry, Donot Team focuses on a small
number of targets in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal – as
seen in Figure 1.

Figure 1. Countries targeted in recent Donot Team campaigns

These attacks are focused on:

* Government and military organizations
* Ministries of Foreign Affairs
* Embassies

Going as far as targeting embassies of these countries in other regions, such as
the Middle East, Europe, North America, and Latin America, is also not outside
Donot Team’s realm.

TRY, TRY, TRY AGAIN

It’s not a rarity for APT operators to attempt to regain access to a compromised
network after they have been ejected from it. In some cases this is achieved
through the deployment of a stealthier backdoor that remains quiet until the
attackers need it; in other cases they simply restart their operation with new
malware or a variant of the malware they used previously. The latter is the case
with Donot Team operators, only that they are remarkably persistent in their
attempts.

According to ESET telemetry, Donot Team has been consistently targeting the same
entities with waves of spearphishing emails with malicious attachments every two
to four months. Interestingly, emails we were able to retrieve and analyze did
not show signs of spoofing. Some emails were sent from the same organizations
that were being attacked. It’s possible that the attackers may have compromised
the email accounts of some of their victims in earlier campaigns, or the email
server used by those organizations.

With spearphishing emails, the attackers use malicious Microsoft Office
documents to deploy their malware. We have seen Donot Team using at least three
techniques. One is macros in Word, Excel and PowerPoint documents, such as the
example seen in Figure 2.

Figure 2. Malicious macro in a PowerPoint document that drops a downloader
executable and creates a scheduled task to run it

The second technique is RTF files with .doc extensions that exploit memory
corruption vulnerability CVE‑2017‑11882 in Equation Editor, shown in Figure 3.
These RTF documents also contain two embedded DLLs as OLE objects (see Figure 4)
that are used to install and download further components (both DLLs are
described in the Gedit section). This allows the attackers to execute shellcode
and requires no user interaction. The shellcode deploys the main components of
the malware.

Figure 3. CLSID of the COM object used by the RTF document to load the Equation
Editor; the ensuing OLE object contains the CVE‑2017‑1182 exploit

Figure 4. The OLE object headers of the DLLs also embedded in the RTF document

The third technique is remote RTF template injection, which allows the attackers
to have a payload downloaded from a remote server when the RTF document is
opened. This is achieved by inserting a URL in the optional \*\template control
word of the RTF file format, instead of the location of a local file resource.
The payload that Donot Team uses is another document that exploits
CVE-2017-11882 and is loaded automatically once it is downloaded. This is shown
in Figure 5.

Figure 5. When Word opens an RTF file with a remote template, it automatically
attempts to download the resource

THE YTY MALWARE FRAMEWORK

Discovered by NetScout in 2018, the yty malware framework is a less
sophisticated and poorly developed successor to an older framework called
EHDevel. The yty framework consists of a chain of downloaders that ultimately
download a backdoor with minimal functionality, used to download and execute
further components of Donot Team’s toolset.

These include file collectors based on file extension and year of creation,
screen capturers, keyloggers, reverse shells, and more. As seen in Figure 6,
components for exfiltration gather the collected intelligence from staging
folders and upload every file to a designated server used only for this purpose.

Figure 6. Component that resolves the folder name for staging JPEG screenshots
(left) and exfiltration component that finds all files in the staging folder
(right)

Staging folder names and locations are changed with almost every new campaign,
as well as some of the components’ filenames. However, there are cases in which
the names of components have remained unchanged, for example: gedit.exe,
wuaupdt.exe, lmpss.exe, disc.exe, among others. As seen in Figure 7, it seems
that for every new campaign, in order to set new paths and filenames, these
values must be changed in the source code and then recompiled, as none of these
components use a configuration block or file.

Figure 7. Encrypted strings containing locations and filenames that are
regularly changed (top) and unencrypted values used in constructing the C&C URL
(bottom)

The malware uses scheduled tasks for persistence, and alternates between DLL and
EXE files between campaigns. In the case of DLLs, scheduled tasks execute
rundll32.exe to load them and execute one of the exported functions.

The developers of the yty framework primarily rely on the C++ programming
language. Likely in an attempt to evade detection, they have also ported their
components to other languages such as VBScript, Python (packaged with
PyInstaller), Visual C#, and AutoIt, among others. However, since 2019 we have
only seen them leveraging components programmed in C++ (Figure 8) and Go (Figure
9).

Figure 8. Decompiled code of the component that captures screenshots, originally
written in C++

Figure 9. Decompiled code of the component that captures screenshots, for the
version written in Go

The malware sometimes uses two or three servers during its deployment. It might
use one server during its chain of downloaders and a different server that the
backdoor contacts in order to receive its commands and download further
components, or use the same server for both purposes. A different server is
always used for the upload of collected information. In some attacks Donot Team
has reused C&C domains from previous attacks – both for downloads and
exfiltration. As seen in Figure 10, Figure 11 and Figure 12, these components –
later described as a variant we track as DarkMusical – used in the same attack,
employed three different C&C domains.

Figure 10. The first downloader decrypts the URL of the server from which it
downloads the next stage of the chain

Figure 11. In later stages, the backdoor uses a different server for C&C
communications

Figure 12. The exfiltration components use yet a third server to upload the
collected files

TIMELINE OF ATTACKS

Here we describe the malware variants used in recent Donot Team campaigns, with
a focus on their Windows malware, starting from September 2020 until October
2021. For clarity, we have separated them into two variants of the yty malware
framework: Gedit and DarkMusical, with one specific campaign using Gedit that we
named Henos.

In Figure 13, we present a timeline, according to our telemetry, of the attacks.
Also on our timeline we have included attacks from another variant, known as the
“Jaca framework”. However, we will not describe it here as it has been described
extensively in this report by CN-SEC.

Figure 13. Timeline of Donot Team attacks from September 2020 to October 2021
according to ESET telemetry

DARKMUSICAL

According to ESET telemetry, the first wave of attacks where this variant was
used occurred in June 2021, targeting military organizations in Bangladesh. We
were only able to recover its chain of downloaders and its main backdoor. Given
the small number of victims, we believe this might have been a highly targeted
attack.

In September, a second wave of attacks that targeted military organizations in
Nepal used new C&C servers and file and staging folder names. We were able to
recover a number of components downloaded by the backdoor, so we have decided to
describe these attacks instead.

Spearphishing emails were sent with PowerPoint documents containing a macro that
deploys the first component of a chain of downloaders and persists using a
scheduled task. When potential victims open these documents, they will be
presented with a fake error message, as seen in Figure 14, and the documents
will remain devoid of any visible content.

Figure 14. Screenshot of a blank, malicious PowerPoint document

As seen in Figure 15, the chain of downloaders aims to download a final
component that works as a backdoor with minimal functionality: it downloads
standalone components, executes them using the ShellExecute Windows API, get and
saves new C&C URLs.

The backdoor downloads the components that handle the collection and
exfiltration of information to a dedicated server. These components do not
communicate with the backdoor or the C&C to report on their activities – rather,
they use a designated folder for the staging of the data, and a separate
exfiltration component will collect everything and upload it.

Figure 15. Observed chain of compromise for DarkMusical

We decided to call this campaign DarkMusical because of the names the attackers
chose for their files and folders: many are western celebrities or characters in
the movie High School Musical. Table 1 briefly describes the purpose of each of
the components in the chain of compromise.

Table 1. Components in the DarkMusical campaign chain of compromise

FilenameDescription rihana.exeThis executable is dropped by the malicious
document to %public%\Music\rihana.exe and persistence established via a
scheduled task called musudt.
Downloads file to %public%\Music\acrobat.dll and drops a BAT file to
%public%\Music\sidilieicaliei.bat.
The BAT file calls schtasks.exe to create the hmomci scheduled task to execute
rundll32.exe %public%\Music\acrobat.dll, nikioioeioolla. acrobat.dllDownloads
file and saves it as %public%\Music\swift
Additionally, can issue a systeminfo.exe command whose output is redirected to
%public%\Music\justin. The contents of the file are sent to its C&C server.
Drops and executes the file %public%\Music\janifer.bat that performs several
tasks:
• Creates the folders Troy, Gabriella, and Taylor in %public%\Music with
archive, hidden, and system attributes.
• Creates two scheduled tasks:
- sccmos to execute %public%\Music\Troy\forbidden.exe
- msoudatee that executes %public%\Music\Gabriella\remember.exe
• Moves the swift file into the Gabriella folder and renames it to remember.exe
• Attempts to delete acrobat.dll and rihana.exe
• Deletes the scheduled tasks named hmomci and musudt
• Deletes itself
remember.exeDownloads file to %public%\Music\Troy\forbidden.exe
forbidden.exeUses the URL stored in %public%\Music\Taylor\flag file; if there is
no URL, it uses its default URL.
Accepts three commands:
• Set URL in the flag file
• Execute file with ShellExecute Windows API
• Download file to %public%\Music\Taylor

In Table 2 we describe the purpose of each component of the attacker’s toolset.

Table 2. Description of components in the attacker’s toolset for DarkMusical

FilenameDescription serviceup.exeReverse shells sdudate.exe srcot.exeTakes
screenshots, saves them to %public%\Music\Symphony Three variants of
nDExiD.exeCollects files created in 2021 and after, and copies them to the
staging folder %public%\Music\Symphony

Collects files by extension: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps,
ppsx, ppt, pptx, rtf, txt, xls, xlsx Same as above, but files must have been
created in 2020 or after. File collector that monitors insertion of USB drives
and changes within the file system. Collects the same documents by extension as
above, but also includes files with extensions: docm, mbox, pst
upsvcsu.exeExfiltrates collected files.

Enumerates all files in %public%\Music\Symphony and uploads those that match the
extensions: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx,
rtf, txt, xls, xlsx

GEDIT

We detected the first attacks of the campaign using Gedit in September 2020,
against organizations in Pakistan that had already been targeted with
spearphishing and malicious RTF documents that installed the Jaca framework.
Since then, Donot Team moved on to focus on targets in Bangladesh, Nepal and Sri
Lanka. The malware is clearly derived from the yty malware framework, but it is
distinct enough to be separated from DarkMusical.

We were able to retrieve a spearphishing email corresponding to a Gedit campaign
that occurred in February of 2021, which is shown in Figure 16. The first
attachment contained a list of personnel from a military entity in Bangladesh
(and no malicious content). The second attachment showed nothing but a blank
page, while executing malicious code.

Figure 16. Screenshot of a spearphishing email sent by the attackers

We can see that the size of the second file is greater than 2 MB. It is an RTF
file that exploits CVE-2017-11882 to drop two DLL files contained in the
document and execute one of them. Other components are downloaded to the
compromised computer in various stages. An overview of this attack chain and its
malware components is shown in Figure 17.

Figure 17. Chain of compromise in Gedit campaigns

The components were coded in Go, and C++ (with MinGW and Visual Studio
compilers). We have chosen to describe the components used in that campaign in
February 2021, which are shown in Table 3.

Table 3. Description of components for Gedit variant

FilenameDescription vbtr.dllMoves the file %TEMP%\bcs01276.tmp to
%USERPROFILE%\Documents\msdn022.dll

Creates a scheduled task MobUpdate to execute rundll32.exe
%USERPROFILE%\Documents\msdn022.dll,iorpiyhduj
msdn022.dllDownloads a file to %APPDATA%\mscx01102 (later renamed to
Winhlp.exe).

Writes and executes %APPDATA%\test.bat, which:
• Writes <COMPUTERNAME>-<RANDOM_NUMBER> to
%USERPROFILE%\Policy\en-us\Files\wizard
• Creates the scheduled task TaskUpdate to execute
%USERPROFILE%\inf\boost\OOO\nprint.exe
• Creates the scheduled task MachineCore to execute
%USERPROFILE%\Cursor\Size\Dates\Winhlp.exe
Winhlp.exeDownloads a file to %USERPROFILE%\inf\boost\OOO\nprint.exe (if it
doesn’t exist or its size is less than 50 kB). nprint.exeSends a request to a
server and depending on the reply, three actions can be performed:
• If qwertyuiop is in the reply headers, then a file is downloaded to
%USERPROFILE%\Policy\en-us\Active\<FILENAME>, where <FILENAME> is also read from
the headers
• If asdfghjklzx is in the reply headers, then it tries to execute
%USERPROFILE%\Policy\en-us\Active\wuaupdt.exe
• If zxcvbnmlkjhgfd is in the reply headers, then it tries to execute
%USERPROFILE%\Policy\en-us\Active\test.bat
If a file %USERPROFILE%\Policy\en-us\Files\wizard exists, then the URL of the
server is retrieved from there and used instead of the one included in the
executable.
wuaupdt.exeReverse shell. lmpss.exeTakes screenshots and saves them, in an
infinite loop, to %USERPROFILE%\Remote\Desk\Apps innod.exeFile collector.
Iterates recursively through drives, logging interesting files to
%USERPROFILE%\Policy\en-us\Files\nohiucf. Files are copied to
%USERPROFILE%\Remote\Desk\Apps

Seeks files with the extensions: doc, docx, xls, xlsx, ppt, pps, pptx, ppsx,
pdf, inp, msg, jpg, jpeg, png, txt

Excludes the following files/folders: ., .., nohiucf, Windows, Recent Places,
Temfile, Program Files, Program Files (x86), ProgramData, Microsoft, Package
Cache

This component runs in an infinite loop, iterating drives from C: to H:
gedit.exeSends collected files to a server. All files that are in
%USERPROFILE%\Remote\Desk\Apps are sent one by one, unencrypted. There is no
check for extension, other than excluding . and ..

The victim identifier that was written to
%USERPROFILE%\Policy\en-us\Files\wizard is appended to the URL. If the file
doesn’t exist, then the default string HeloBSiamabcferss is used instead.
User-agent is: If people are doubting how far you can go, go so far that you can
not hear them anymore. Michele Ruiz.

It creates a system event aaaaaaaaa to make sure that only one instance of the
component is running at a time.

HENOS CAMPAIGN

Finally, it is worth mentioning a wave of attacks that occurred between February
and March 2021, targeting military organizations in Bangladesh and Sri Lanka.
These attacks used the Gedit variant of the malware, but with some minor
modifications. Therefore, we decided to name this campaign Henos in our
timeline, after its backdoor DLL – henos.dll.

Samples belonging to components of this wave of attacks were also reported
online in February, which probably explains why the group didn’t use the
components again (see this tweet by Shadow Chaser Group researchers, for
example).

Although we didn’t find the corresponding spearphishing emails or malicious
documents, the attack chain is presumably the same as we described above, with
some minor differences in how the components are executed. An overview of this
is shown in Figure 18.

Figure 18. Chain of compromise of the Henos campaign

While some of the components of this campaign are named javatemp.exe and
pytemp.exe, these filenames were probably only chosen in an attempt to mimic
legitimate software such as Java or Python. While pytemp.exe and plaapas.exe
were coded in the Go language, javatemp.exe was coded in C++ (compiled with
MinGW).

One final note is that the component that performs exfiltration of files,
pytemp.exe, performs a check to see if gedit.exe is running. If two or more
instances are found, it exits. We believe this is a mistake by the programmers,
as it should check for pytemp.exe instead. However, this simple mistake helps us
tie the Henos campaign to the Gedit variant of the malware (added to code
similarity).

CONCLUSION

Donot Team makes up for its low sophistication with tenacity. We expect that it
will continue to push on regardless of its many setbacks. Only time will tell if
the group evolves its current TTPs and malware.

For any inquiries, or to make sample submissions related to the subject, contact
us at threatintel@eset.com.

INDICATORS OF COMPROMISE (IOCS)

A comprehensive list of Indicators of Compromise (IoCs) and samples can be found
in our GitHub repository.

GEDIT – OCTOBER 2021

SAMPLES

SHA-1FilenameESET detection name
78E82F632856F293BDA86D77D02DF97EDBCDE918cdc.dllWin32/TrojanDownloader.Donot.C
D9F439E7D9EE9450CD504D5791FC73DA7C3F7E2Ewbiosr.exeWin32/TrojanDownloader.Donot.D
CF7A56FD0613F63418B9DF3E2D7852FBB687BE3Fvdsc.exeWin32/TrojanDownloader.Donot.E
B2263A6688E512D90629A3A621B2EE003B1B959Ewuaupdt.exeWin32/ReverseShell.J
13B785493145C85B005E96D5029C20ACCFFE50F2gedit.exeWin32/Spy.Donot.A
E2A11F28F9511753698BA5CDBAA70E8141C9DFC3wscs.exeWin32/Spy.Donot.B
F67ABC483EE2114D96A90FA0A39496C42EF050B5gedit.exeWin32/Spy.Donot.B

NETWORK

Download servers

* https://request.soundedge[.]live/access/nasrzolofuju
* https://request.soundedge[.]live/access/birkalirajliruajirjiairuai
* https://share.printerjobs[.]xyz/id45sdjscj/<VICTIM_ID>

Exfiltration server

* https://submin.seasonsbackup[.]xyz/backup/<VICTIM_ID>

Reverse shell server

* 80.255.3[.]67

GEDIT – JULY 2021

SAMPLES

SHA-1FilenameESET detection name
A71E70BA6F3CD083D20EDBC83C72AA823F31D7BFhxedit.exeWin32/TrojanDownloader.Donot.N
E101FB116F05B7B69BD2CAAFD744149E540EC6E9lmpss.exeWin64/HackTool.Ligolo.A
89D242E75172C79E2F6FC9B10B83377D940AE649gedit.exeWinGo/Spy.Donot.A
B42FEFE2AB961055EA10D445D9BB0906144647CEgedit.exeWinGo/Spy.Donot.A
B0704492382186D40069264C0488B65BA8222F1Edisc.exeWin32/Spy.Donot.L
1A6FBD2735D3E27ECF7B5DD5FB6A21B153FACFDBdisc.exeWin32/Spy.Donot.A
CEC2A3B121A669435847ADACD214BD0BE833E3ADdisc.exeWin32/Spy.Donot.M
CBC4EC0D89FA7A2AD1B1708C5A36D1E304429203disc.exeWin32/Spy.Donot.A
9371F76527CA924163557C00329BF01F8AD9E8B7gedit.exeWin32/Spy.Donot.J
B427744B2781BC344B96907BF7D68719E65E9DCBwuaupdt.exeWin32/TrojanDownloader.Donot.W

NETWORK

Download server

* request.submitonline[.]club/orderme/

Exfiltration servers

* oceansurvey[.]club/upload/<VICTIM_ID>
* request.soundedge[.]live/<COMPUTERNAME>/uload

Reverse shell servers

* 80.255.3[.]67
* 37.48.122[.]145

GEDIT – FEBRUARY/MARCH 2021

SAMPLES

SHA-1FilenameESET detection name
A15D011BED98BCE65DB597FFD2D5FDE49D46CFA2BN_Webmail_List
2020.docWin32/Exploit.Agent.UN
6AE606659F8E0E19B69F0CB61EB9A94E66693F35vbtr.dllWin32/Spy.Donot.G
0290ABF0530A2FD2DFB0DE29248BA3CABB58D2ADbcs01276.tmp
(msdn022.dll)Win32/TrojanDownloader.Donot.P
66BA21B18B127DAA47CB16AB1F2E9FB7DE3F73E0Winhlp.exeWin32/TrojanDownloader.Donot.J
79A5B10C5214B1A3D7CA62A58574346C03D54C58nprint.exeWin32/TrojanDownloader.Donot.K
B427744B2781BC344B96907BF7D68719E65E9DCBwuaupdt.exeWin32/TrojanDownloader.Donot.W
E423A87B9F2A6DB29B3BA03AE7C4C21E5489E069lmpss.exeWinGo/Spy.Donot.B
F43845843D6E9FB4790BF70F1760843F08D43790innod.exeWin32/Spy.Donot.G
4FA31531108CC68FF1865E2EB5654F7B3DA8D820gedit.exeWin32/Spy.Donot.G

NETWORK

Download servers

* firm.tplinkupdates[.]space/8ujdfuyer8d8f7d98jreerje
* firm.tplinkupdates[.]space/yu37hfgde64jskeruqbrgx
* space.lovingallupdates[.]life/orderme

Exfiltration server

* oceansurvey.club/upload/<VICTIM_ID>

Reverse shell server

* 80.255.3[.]67

GEDIT – SEPTEMBER 2020

SAMPLES

SHA-1FilenameESET detection name
49E58C6DE5245796AEF992D16A0962541F1DAE0Clmpss.exeWin32/Spy.Donot.H
6F38532CCFB33F921A45E67D84D2796461B5A7D4prodot.exeWin32/TrojanDownloader.Donot.K
FCFEE44DA272E6EB3FC2C071947DF1180F1A8AE1prodot.exeWin32/TrojanDownloader.Donot.S
7DDF48AB1CF99990CB61EEAEB3ED06ED8E70A81Bgedit.exeWin32/TrojanDownloader.Donot.AA
DBC8FA70DFED7632EA21B9AACA07CC793712BFF3disc.exeWin32/Spy.Donot.I
CEF05A2DAB41287A495B9413D33F14D94A568C83wuaupdt.exeWin32/Spy.Donot.A
E7375B4F37ECEA77FDA2CEA1498CFB30A76BACC7prodot.exeWin32/TrojanDownloader.Donot.AA
771B4BEA921F509FC37016F5FA22890CA3338A65apic.dllWin32/TrojanDownloader.Donot.A
F74E6C2C0E26997FDB4DD89AA3D8BD5B270637CCnjhy65tg.dllWin32/TrojanDownloader.Donot.O

NETWORK

Download servers

* soundvista[.]club/sessionrequest
* soundvista[.]club/orderme/<VICTIM_ID>
* soundvista[.]club/winuser

Exfiltration server

* request.resolverequest[.]live/upload/<COMPUTERNAME>-<Random_Number>

Reverse shell server

* 80.255.3[.]67

DARKMUSICAL – SEPTEMBER 2021

SAMPLES

SHA-1FilenameESET detection name
1917316C854AF9DA9EBDBD4ED4CBADF4FDCFA4CErihana.exeWin32/TrojanDownloader.Donot.G
6643ACD5B07444D1B2C049BDE61DD66BEB0BD247acrobat.dllWin32/TrojanDownloader.Donot.F
9185DEFC6F024285092B563EFA69EA410BD6F85Bremember.exeWin32/TrojanDownloader.Donot.H
954CFEC261FEF2225ACEA6D47949D87EFF9BAB14forbidden.exeWin32/TrojanDownloader.Donot.I
7E9A4A13A76CCDEC880618BFF80C397790F3CFF3serviceup.exeWin32/ReverseShell.J
BF183A1EC4D88034D2AC825278FB084B4CB21EADsrcot.exeWin32/Spy.Donot.F
1FAA4A52AA84EDB6082DEA66F89C05E0F8374C4Cupsvcsu.exeWinGo/Spy.Donot.A
2F2EA73B5EAF9F47DCFB7BF454A27A3FBF253A1Esdudate.exeWin32/ReverseShell.J
39F92CBEC05785BF9FF28B7F33906C702F142B90ndexid.exeWin32/Spy.Donot.C
1352A8394CCCE7491072AAAC9D19ED584E607757ndexid.exeWin32/Spy.Donot.E
623767BC142814AB28F8EC6590DC031E7965B9CDndexid.exeWin32/Spy.Donot.A

NETWORK

Download servers

* digitalresolve[.]live/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/ekcvilsrkjiasfjkikiakik
* digitalresolve[.]live/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/ziuriucjiekuiemoaeukjudjkgfkkj
* digitalresolve[.]live/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/Sqieilcioelikalik
* printersolutions[.]live/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/orderme

Exfiltration server

* packetbite[.]live/<COMPUTERNAME>~<USERNAME>~<HW_PROFILE_GUID>/uload

Reverse shell servers

* 37.120.198[.]208
* 51.38.85[.]227

DARKMUSICAL – JUNE 2021

SAMPLES

SHA-1FilenameESET detection name BB0C857908AFC878CAEEC3A0DA2CBB0A4FD4EF04

6194E0ECA5D494980DF5B9AB5CEA8379665ED46A
ertficial.dllWin32/TrojanDownloader.Donot.X
ACB4DF8708D21A6E269D5E7EE5AFB5168D7E4C70msofficedll.dllWin32/TrojanDownloader.Donot.L
B38F3515E9B5C8F4FB78AD17C42012E379B9E99Asccmo.exeWin32/TrojanDownloader.Donot.M
60B2ADE3B339DE4ECA9EC3AC1A04BDEFC127B358pscmo.exeWin32/TrojanDownloader.Donot.I

NETWORK

Download servers

* biteupdates[.]live/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/orderme
* biteupdates[.]live/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/KdkdUe7KmmGFD
* biteupdates[.]live/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/acdfsgbvdghd
* dataupdates[.]live/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/DKixeXs44skdqqD
* dataupdates[.]live/<COMPUTERNAME>~<USERNAME>~<VICTIM_ID>/BcX21DKixeXs44skdqqD

HENOS – FEBRUARY/MARCH 2021

SAMPLES

SHA-1FilenameESET detection name
468A04B358B780C9CC3174E107A8D898DDE4B6DEProcurement Letter Feb
21.docWin32/Exploit.CVE-2017-11882.CP
9DD042FC83119A02AAB881EDB62C5EA3947BE63Ectlm.dllWin32/Spy.Donot.N
25825268868366A31FA73095B0C5D0B696CD45A2stpnaqs.pmt
(jptvbh.exe)Win32/TrojanDownloader.Donot.Z
540E7338725CBAA2F33966D5C1AE2C34552D4988henos.dllWin32/Spy.Donot.G
526E5C25140F7A70BA9F643ADA55AE24939D10AEplaapas.exeWinGo/Spy.Donot.B
89ED760D544CEFC6082A3649E8079EC87425FE66javatemp.exeWin32/Spy.Donot.G
9CA5512906D43EB9E5D6319E3C3617182BBF5907pytemp.exeWinGo/Spy.Donot.A

NETWORK

Download servers

* info.printerupdates[.]online/<USERNAME>/Xddv21SDsxDl
* info.printerupdates[.]online/<COMPUTERNAME>~<USERNAME>/XddvInXdl
* info.printerupdates[.]online/<COMPUTERNAME>~<USERNAME>/ZuDDey1eDXUl
* info.printerupdates[.]online/<COMPUTERNAME>~<USERNAME>/Vyuib45xzlqn

Exfiltration server

* https://manage.biteupdates[.]site/<PC_NAME>/uload

MITRE ATT&CK TECHNIQUES

This table was built using version 10 of the ATT&CK framework.

TacticIDNameDescription Resource DevelopmentT1588.005Obtain Capabilities:
ExploitsDonot Team has used CVE‑2017-11882 exploits to run its first-stage
malware. Initial AccessT1566.001Phishing: Spearphishing AttachmentDonot Team has
sent spearphishing emails to its victims with malicious Word or PowerPoint
attachments. ExecutionT1204.002User Execution: Malicious FileDonot Team has
lured its victims into opening malicious email attachments. T1059.005Command and
Scripting Interpreter: Visual BasicDonot Team has used macros contained in Power
Point documents. T1059.003Command and Scripting Interpreter: Windows Command
ShellDonot Team has used reverse shells on the system to execute commands.
T1203Exploitation for Client ExecutionDonot Team has used CVE-2017-11882
exploits to execute code on the victim’s machine. PersistenceT1053.005Scheduled
Task/Job: Scheduled TaskDonot Team has created scheduled tasks for persistence
of its malicious components. Defense EvasionT1036.005Masquerading: Match
Legitimate Name or LocationDonot Team has used filenames such as pytemp or
javatemp to approximate the name of legitimate software. DiscoveryT1057Process
DiscoveryDonot Team has implemented checks for older versions of the malware
running on the victim’s system. Lateral MovementT1534Internal SpearphishingDonot
Team has sent spearphishing emails to their victims that came from within the
same targeted organization. CollectionT1005Data from Local SystemDonot Team has
used malicious modules that traverse the victim’s filesystem looking for files
with various extensions. T1025Data from Removable MediaDonot Team has used a
malicious module to copy files from removable drives. T1074.001Data Staged:
Local Data StagingDonot Team has staged files for exfiltration in a single
location, a folder in the victim’s computer. T1113Screen CaptureDonot Team has
used malicious modules to take screenshots from victims. Command and
ControlT1071.001Application Layer Protocol: Web ProtocolsDonot Team has used
HTTP/S for C&C communications and data exfiltration.
ExfiltrationT1048.003Exfiltration Over Alternative Protocol: Exfiltration Over
Unencrypted/‌Obfuscated Non-C2 ProtocolDonot Team has used dedicated servers for
exfiltration, sending the data over HTTP or HTTPS, unencrypted.

Facundo Muñoz
Matías Porolli
18 Jan 2022 - 11:30AM

SIGN UP TO RECEIVE AN EMAIL UPDATE WHENEVER A NEW ARTICLE IS PUBLISHED IN OUR
UKRAINE CRISIS – DIGITAL SECURITY RESOURCE CENTER

Submit

NEWSLETTER

Submit

www.welivesecurity.com Open in urlscan Pro 2a02:26f0:4700::210:211 Public Scan

Form analysis 5 forms found in the DOM

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

POST https://enjoy.eset.com/pub/rf

POST https://enjoy.eset.com/pub/rf

Text Content

www.welivesecurity.com Open in urlscan Pro
2a02:26f0:4700::210:211 Public Scan

Form analysis
5 forms found in the DOM