Threat Research

APT-C-35(肚脑虫)针对南亚某制造公司的攻击活动分析

Securonix

APT-C-35, also known as Donot, is a South Asian APT group targeting government institutions in Pakistan and nearby countries since 2016, with activity increasing in frequency and sophistication. They deploy macro documents and vulnerable RTF files to deliver a new .NET espionage component for data collection and exfiltration. #APT-C-35 #Donot #ShibliElectronicsLimited #Pakistan #office-updatecentral #regionserverbackup #winlst.dll #SOP-Payables.doc #CVE-2017-11882

Keypoints

  • APT-C-35 (Donot) targets government entities in Pakistan and neighboring regions, with rising activity.
  • Macro-enabled documents and RTF vulnerabilities are used to deliver malicious payloads.
  • A new .NET component is employed for espionage and data exfiltration.
  • Malicious documents often masquerade as legitimate company files (e.g., SOP – Payables.doc impersonating Shibli Electronics Limited).
  • Attack chain includes multi-layer shellcode and DLL loading, with anti-detection and persistence efforts.
  • Detection-evasion techniques include password checks for macro execution and AV/evasion checks.
  • IOCs include MD5 hashes and malicious URLs; users are advised to practice heightened security awareness.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The group uses scripts and macros to execute malicious payloads. “The group uses scripts and macros to execute malicious payloads.”
  • [T1053] Scheduled Task/Job – The group creates scheduled tasks to ensure their payloads run persistently. “Scheduled Task/Job: The group creates scheduled tasks to ensure their payloads run persistently.”
  • [T1070] Indicator Removal on Host – The group employs techniques to avoid detection by antivirus software. “Indicator Removal on Host: The group employs techniques to avoid detection by antivirus software.”
  • [T1003] Credential Dumping – The group may attempt to gather credentials through various means. “Credential Dumping: The group may attempt to gather credentials through various means.”
  • [T1041] Exfiltration Over Command and Control Channel – Data is exfiltrated through established communication channels. “Exfiltration Over Command and Control Channel: Data is exfiltrated through established communication channels.”

Indicators of Compromise

  • [MD5] SOP – Payables.doc and related macro document – example: e96e2ed88e2f2fb80d02e7cd99a1420d, d7e9217c2bcf1e8519458cca63f2b69f (and 5 more hashes)
  • [FileName] SOP – Payables.doc; winlst.dll – example: SOP – Payables.doc, winlst.dll
  • [URL] Malicious download and C2 activity – example: http[:]//office-updatecentral.com/armorer/opposing/stratifies/beachheads/knolls, http[:]//office-updatecentral.com/eigenvalue/Odyssey/froth/imminently/intervene (and 2 more URLs)
  • [Domain] regionserverbackup.info – example: https[:]//regionserverbackup.info/wall/restrict.php (and related domains)

Read more: https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247501270&idx=1&sn=203ae98a60ffc172cb9e06a1b95116c6&chksm=f9c1f6dfceb67fc916f29b04e9e63fe81a1f916d575ae8c32250fb954ca9619153ba864e118d&scene=178&cur_album_id=1955835290309230595

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint