Cyble Research and Intelligence Labs (CRIL) reported an APT campaign by threat actor DONOT targeting Pakistan’s maritime and defense-related manufacturing sector using malicious LNK files disguised as RTFs to deploy a PowerShell-based stager and DLL payload. The operation uses evolved encryption (XOR/AES), dynamically generated backup domains for C2, and a scheduled task for persistence that runs the payload every five minutes. #DONOT #Pakistan
Keypoints
- CRIL attributes the campaign to APT group DONOT, which targeted Pakistan’s maritime and defense-related manufacturing sector.
- The initial lure is a malicious .LNK file masquerading as an RTF, replacing prior Office-document-based lures.
- PowerShell commands are used to decrypt and execute the stager DLL; cmd.exe copies PowerShell.exe to %temp% as a temporary executable before execution.
- Persistence is achieved by creating a scheduled task that invokes rundll32.exe to run the DLL every five minutes.
- The threat actors use XOR and AES encryption across stages and dynamically generate backup domains for C2 communication over HTTP GET/POST.
- Additional payloads are fetched from C2 URLs and the stager collects and exfiltrates extensive system information over encrypted channels.
- Identified IOCs include the domain internalfileserver[.]online, IP 94[.]141[.]120[.]137, multiple SHA-256 hashes, and a temporary filename 2SqSxDA2.exe.
MITRE Techniques
- [T1566] Phishing – Likely used to deliver the lure via spam emails. (‘This campaign is likely to reach users through spam emails.’)
- [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell commands decrypt and execute the lure RTF and stager DLL payload. (‘PowerShell commands are used to decrypt and execute the lure RTF file and stager DLL payload.’)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Cmd.exe copies PowerShell.exe to %temp% as a temporary executable prior to execution. (‘Cmd.exe is used to copy PowerShell.exe to the %temp% directory as “2SqSxDA2.exe”.’)
- [T1218.011] System Binary Proxy Execution: Rundll32 – Rundll32.exe is used to execute the stager/DLL payload. (‘Rundll32.exe is used to execute the stager payload.’)
- [T1053.005] Scheduled Task/Job: Scheduled Task – A scheduled task is created to run the DLL payload regularly for persistence. (‘A scheduled task is created for persistence, running the DLL payload regularly via rundll32.exe.’)
- [T1070.004] Indicator Removal on Host: File Deletion – Temporary PowerShell executable is deleted after use to remove artifacts. (‘Temporary PowerShell.exe file (“2SqSxDA2.exe”) is deleted after executing the malicious commands.’)
- [T1027] Obfuscated Files or Information – XOR and AES encryption are used to obfuscate components and C2 communications. (‘XOR and AES encryption mechanisms are used in various stages of the attack.’)
- [T1071.001] Application Layer Protocol: Web Protocols – The malware communicates with C2 using HTTP GET and POST requests. (‘GET and POST requests are sent to the Threat Actor’s C&C server.’)
- [T1105] Remote File Copy – Additional payloads are downloaded from the C2 using URLs in the configuration. (‘The additional payload is downloaded from the C&C server using a URL provided in the configuration.’)
- [T1041] Exfiltration Over C2 Channel – The stager collects extensive system information and exfiltrates it to the C2 over encrypted channels. (‘Extensive system information is collected and exfiltrated to the C&C server via encrypted communication.’)
Indicators of Compromise
- [Domain] C2/backup domain – internalfileserver[.]online
- [IP address] Infrastructure C2 – 94[.]141[.]120[.]137
- [File hash] Malicious payloads (SHA-256) – cffe7eb01000de809b79a711702eaf3773f2e6167ce440f33f30bcd6fabcace3, a7893c54edaecaa0e56010576a8249ad9149456f5d379868a0ecaa4c5c33fa70
- [File name] Temporary PowerShell copy – 2SqSxDA2.exe (copied to %temp% then deleted after execution)
Read more: https://cyble.com/blog/donots-attack-on-maritime-defense-manufacturing/ – get from article