Morphisec Labs details DoNot Team (APT-C-35) updates to their Windows framework (YTY/Jaca), including new modules, a shellcode loader, and an upgraded browser stealer, with a focus on modular delivery and evasion techniques. The post also highlights infection methods, persistence, C2 practices, and defense considerations like Moving Target Defense to counter runtime attacks. Hashtags: #DoNotTeam #APT-C-35
Keypoints
- DoNot Team (APT-C-35) is an enduring South Asiaβtargeting APT group known for Windows/Android spyware frameworks.
- Morphisec Labs outlines updates to the Windows framework (YTY/Jaca) and new samples in the wild.
- Initial access relies on spear phishing emails with malicious attachments, aided by macros and remote template injection.
- The framework is modular, delivering components in separate files and loading them via C2-controlled addresses (including Google Drive).
- Shellcode loader injects into memory using WinAPI methods (ZwAllocateVirtualMemory, MultiByteToWideChar, EnumUILanguagesA).
- New browser stealers split data collection across executables, targeting Chrome and Firefox with plain and encrypted outputs.
- Security-evasion features include VM/anti-analysis checks, expiry dates for AV products, and staged beaconing to C2 with encryption.
MITRE Techniques
- [T1566.001] Spearphishing Attachment β
For initial infection, the DoNot Team uses spear phishing emails containing malicious attachments. β - [T1204.002] User Execution: Malicious Macro β
To load the next stage they leverage Microsoft Office macros and RTF files exploiting Equation Editor vulnerability and remote template injection. β - [T1203] Exploitation for Client Execution β
Equation Editor vulnerability and remote template injection. β - [T1055] Process Injection β
The function injects a shellcode (32-bit/64-bit) into the process memory and invokes it. β - [T1053.005] Scheduled Task β
Persistence is achieved by setting a new Scheduled Task (via COM objects) that runs every three minutes. β - [T1497.001] Virtualization/Sandbox Evasion β
VM detection looking for VMware/VirtualBox via csproduct name. β - [T1047] Windows Management Instrumentation β
VM/detection and system queries via WMI. β - [T1113] Screen Capture β
Functionalities include screenshots alongside other modules. β - [T1056.001] Keylogging β
Keylogger module present in IE flag DLLs. β - [T1555.003] Credentials from Web Browsers β
Chrome credentials stolen by browser data modules. β - [T1082] System Information Discovery β
Beacons collect basic system information. β - [T1041] Exfiltration Over C2 Channel β
Beacons encrypt and send data back to C2. β - [T1105] Ingress Tool Transfer β
Shellcode downloads and executes subsequent modules from the C2. β - [T1027] Obfuscated/Compressed Files and Information β
Shellcode decrypts itself and later stages. β
Indicators of Compromise
- [Hash] Blog Sample β 486f772d81a3b90ba76617fd5f49d9ca99dac1051a9918222cfa25117888a1d5
- [Hash] Docs β d566680ca3724ce242d009e5a46747c4336c0d3515ad11bede5fd9c95cf6b4ce, 28c71461ac5cf56d4dd63ed4a6bc185a54f28b2ea677eee5251a5cdad07077b8, and 2 more hashes
- [DLL/EXE] Main components β 2c84b325b8dc5554f216cb6a0663c8ff5d725b2f26a5e692f7b3997754c98d4d, a70038cdf5aea822d3560471151ce8f8bacd259655320dea77d48ccfa5b5af4f
- [Domain] Domains β worldpro.buzz, ser.dermlogged.xyz, doctorstrange.buzz, clipboardgames.xyz, beetelson.xyz, tobaccosafe.xyz, kotlinn.xyz, fitnesscheck.xyz, dayspringdesk.xyz, srvrfontsdrive.xyz, globalseasurfer.xyz, esr.suppservices.xyz
- [IP] Command and control/targeting β 162.33.177.41
- [Filename] Modules β pgixedfxglmjirdc.dll, ieflagKlo.dll
Read more: https://blog.morphisec.com/apt-c-35-new-windows-framework-revealed