Threat Research

Analysis of Attack Activities Utilizing PDF Document Bait by Stomach Worm (APT-Q-38)

iocOne
Analysis of Attack Activities Utilizing PDF Document Bait by Stomach Worm (APT-Q-38)

The Donot group, also known as ‘肚脑虫’, is a cyber espionage threat primarily targeting government and business sectors in South Asian countries such as Pakistan, Bangladesh, and Sri Lanka. They employ Windows and Android platforms to spread malicious code, predominantly using spear-phishing emails with Office vulnerabilities or malicious macros, and have recently adopted PDF documents as bait in their attacks. Affected: Pakistan, Bangladesh, Sri Lanka, government institutions, military, foreign affairs, business sector

Keypoints :

  • Donot group utilizes both Windows and Android platforms for cyber espionage.
  • The group targets entities in Pakistan, Bangladesh, Sri Lanka.
  • Many attacks involve spear-phishing emails using Office vulnerabilities or malicious macros.
  • Recently, the group has started using PDF documents as bait in their phishing schemes.
  • Two primary attack techniques include disguising EXE files as PDFs and embedding phishing links in PDF documents.
  • Victims downloading malicious PPT files inadvertently execute macro code.
  • The attacker employs well-known malicious URLs for data exfiltration and payload delivery.
  • Sample analysis reveals sophisticated obfuscation and encryption techniques to maintain persistence.
  • Recommendations suggest users avoid clicking unfamiliar links, ensure timely backups, and use comprehensive threat detection solutions.

MITRE Techniques :

  • T1086: PowerShell – The attack involves executing scripts through PowerShell for malicious tasks.
  • T1071: Application Layer Protocol – Utilizes web traffic for command and control communications.
  • T1203: Exploitation for Client Execution – Leverages known vulnerabilities in documents to execute malicious code.
  • T1135: Access Token Manipulation – May use techniques to impersonate legitimate users in the attack phase.
  • T1547: Boot or Logon Autostart Execution – Adopts methods to create scheduled tasks for maintaining persistence.

Indicator of Compromise :

  • [MD5] 893561ff6d17f1e95897b894dde29a2a
  • [MD5] eb5d23a6a200016ba9b2d0085e58b586
  • [MD5] 0f4f32b97c7bde0824b0fd27fe3ec4b0
  • [MD5] d3ff126dc3e69d7f2d660a504b4994a
  • [MD5] 2c2176d9a74851dd30525a87bf0794ca

Full Story: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247514233&idx=1&sn=2e063a4d1143fd6d6bd6bc3de546ff9e&chksm=ea664f0edd11c618b26d39c18cfd8dc829d09528cbf18acff05712d7725061026f88f8e4b691&scene=58&subscene=0#rd

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint