The DoNot Advanced Persistent Threat (APT) group, also known as APT-C-35, orchestrates a targeted campaign against Pakistan’s manufacturing sector, particularly industries connected to maritime and defence. This threat actor, which has been operational since 2016, is believed to be sponsored by the Indian government and has a track record of targeting government, military, and diplomatic entities across South Asia.
The campaign introduces a notable shift in tactics by utilising ‘.LNK’ files as the primary infection vector. These files, camouflaged to appear as legitimate Rich Text Format (RTF) documents, are distributed through phishing emails embedded within RAR archives.
A user opening the ‘.LNK’ file triggers a chain reaction. Commands executed through ‘cmd.exe’ and ‘powershell.exe’ lead to the deployment of a stager DLL file, which then establishes persistence by creating scheduled tasks to ensure recurring execution.
The malware communicates with a command-and-control (C&C) server, sending a unique device ID and receiving further instructions, such as deploying additional payloads or initiating self-destruction.
This campaign highlights the increasing sophistication of the DoNot APT group. Unlike previous attacks that relied on Microsoft Office files with embedded macros, the current campaign employs enhanced encryption techniques and more advanced methods for payload delivery.
The use of PowerShell scripts embedded in ‘.LNK’ files is a testament to the group’s adaptability. Additionally, the campaign incorporates dynamic domain generation to create backup C&C domains, ensuring resilience against disruptions to its primary server infrastructure.
These tactics improve the malware’s efficiency and make it more challenging for cybersecurity defences to detect and neutralise.
The choice of targets further reveals the campaign’s intent. A lure document related to Karachi Shipyard and Engineering Works (KS&EW), a prominent Pakistani defence contractor, indicates a deliberate focus on industries critical to national security.
By compromising entities in the defence sector, the attackers aim to access classified information or disrupt vital operations. This specificity in targeting reflects the APT group’s strategic approach and its alignment with broader geopolitical goals.
Technical analysis of the malware shows an intricate design aimed at evading detection while ensuring effective execution. Upon activation, the ‘.LNK’ file initiates PowerShell commands to extract and decrypt payloads stored within the file. The stager malware then retrieves configuration details from an embedded JSON file, specifying parameters for C&C communication, encryption keys, and task scheduling.
The malware’s communication with the C&C server is encrypted, with data transferred via POST requests, further complicating detection efforts. In case of failures, the malware collects system information, including disk space and installed security software, to aid attackers in refining their approach.
Several factors support the DoNot APT group’s involvement in this campaign, including the use of infrastructure linked to its previous operations and the repetition of tactics, techniques, and procedures (TTPs) associated with the group.
Domains such as ‘office-updatecentral[.]com,’ previously identified in DoNot campaigns, are now linked to this attack’s C&C infrastructure. Such patterns reinforce the attribution to this sophisticated and persistent threat actor.
Researchers have urged organisations to prioritise proactive defences, including enhanced email filtering, endpoint monitoring, and regular security audits.
In the News: Musk expands OpenAI lawsuit, adds Microsoft, Reid Hoffman
