Table of Contents
Advanced Persistent Threats (APTs) represent a significant challenge in the cybersecurity landscape. These groups, often state-sponsored or with nation-state affiliations, are characterized by their sophisticated techniques, stealthy operations, and long-term presence within compromised networks. Their primary motives typically include espionage, data theft, and sabotage. APT-C-35, also known as the DoNot Team, is a prime example of such a threat actor. This group, believed to be linked to the Indian government, focuses on espionage activities in the South Asia region, targeting government, military, and foreign affairs entities. This article provides a deep dive into APT-C-35, covering its origins, evolution, tactics, targets, notable attack campaigns, and defense strategies. One must understand the cyber threat.
Origins & Evolution
APT-C-35, also known by various aliases including DoNot Team, SECTOR02, Origami Elephant, and Viceroy Tiger, has been active since at least 2016. The group is believed to be linked to the Indian government, with its primary objectives centered around espionage in support of Indian national interests. This attribution is based on observed targeting patterns, malware infrastructure, and technical indicators.
The group's evolution has been marked by a continuous refinement of its toolset and tactics. While early campaigns relied heavily on exploiting known vulnerabilities in Microsoft Office (particularly CVE-2017-11882), APT-C-35 has since diversified its infection vectors, incorporating .LNK files, and developing both Windows and Android spyware frameworks. The group has demonstrated a modular approach to malware development, with frameworks like YTY and Jaca featuring components for file collection, screenshots, keylogging, reverse shells, and browser data theft. The development and utilization of frameworks like YTY, that are modular and can be used for multi-purposes, like data gathering and transmission, is one the key aspect of this group. Security teams identify suspicious events with such kinds of modular approach.
There is speculation about potential overlap or collaboration between APT-C-35 and another Indian APT group known as Patchwork. While both groups exhibit similar attack patterns, particularly the use of spear-phishing and document exploits, their targeting profiles appear to differ, and definitive evidence linking them remains elusive.
Tactics & Techniques
APT-C-35 employs a range of tactics, techniques, and procedures (TTPs) to achieve its objectives. Key aspects of their operational methodology include:
Initial Access: The group primarily relies on spear-phishing emails with malicious attachments. These attachments often take the form of RTF or Office documents that leverage exploits (like CVE-2017-11882), remote template injection, or macros to execute malicious code. More recently, the group has shifted to using
.LNKfiles disguised as RTF documents, delivered via spam emails (often within RAR archives). Also, use of the spear phishing is one of the types of phishing attacks.Execution: Once the initial infection vector is successful, the group uses a combination of PowerShell scripts, shellcode, and DLLs to execute their malware. They employ techniques like process injection (using WinAPI functions like
ZwAllocateVirtualMemory,MultiByteToWideChar, andEnumUILanguagesA) and XOR-based decryption routines to evade detection.Persistence: APT-C-35 achieves persistence through various mechanisms, most commonly by creating scheduled tasks. These tasks are often configured to run the malware at regular intervals (e.g., every 3 or 5 minutes), ensuring continued access even after a system reboot.
Defense Evasion: The group incorporates several techniques to evade security solutions. This includes checking for the presence of security product drivers (e.g.,
.sysfiles inC:\Windows\System32\drivers) and modifying the behavior of their malware based on the detected security products and their expiry dates. They also modify the first few bytes of downloaded executables to bypass signature-based detection, restoring them before execution.Command and Control (C2): APT-C-35 utilizes a multi-stage C2 infrastructure. They often leverage legitimate services like Google Drive to store C2 server addresses. The C2 communication involves encrypted data (using AES-256 with multiple keys and IVs) and Base64 encoding. They employ multiple domains for different purposes within the infection chain. It is important to implement security logging and monitoring to protect from the attacks.
Data Exfiltration: The group's malware is designed to collect a wide range of sensitive information, including files, screenshots, keystrokes, browser data, and system information. This data is typically encrypted and exfiltrated to the C2 server. They have also been observed using legitimate platforms like OneSignal for delivering push notifications to install additional malware on mobile devices.
Modularity: A key feature of APT-C-35's malware is its modular architecture. Functionality is split into separate modules, allowing the group to customize the capabilities of their implants based on the specific target and objectives.
Exploitation of OneSignal: The malware exploits the legitimate OneSignal platform to deliver push notifications. These notifications likely contain phishing links designed to deliver further malware.
Mobile Malware: The group utilizes Android malware, often disguised as legitimate messaging apps or news services. These apps request excessive permissions, allowing them to access contacts, call logs, location data, account information, and external storage files. The Android file system is affected by such malware.
Targets or Victimology
APT-C-35 exhibits a clear focus on targets within South Asia, reflecting its likely connection to Indian national interests. The group's primary targets include:
Government and Military Entities: Ministries of Foreign Affairs, embassies, and defense organizations in countries like Pakistan, Sri Lanka, Bangladesh, and other South Asian nations.
Kashmir Region: Individuals and organizations associated with the Kashmir region, reflecting the ongoing geopolitical tensions between India and Pakistan.
Defense Sector Supply Chain: Organizations involved in manufacturing and supplying equipment to the maritime and defense sectors, particularly in Pakistan.
Manufacturing Industry: This includes targeting the manufacturing industry that supports maritime and defense sector.
Other Strategic Industries: While the primary focus is on government and military targets, the group has also been observed targeting IT providers and other industries of strategic interest.
The group's targeting patterns suggest a strong motivation for espionage and intelligence gathering. The potential impact of their attacks includes data breaches, operational disruption, and compromise of sensitive national security information. It is important to have a patch management strategy to prevent the attacks.
Attack Campaigns
APT-C-35 has been associated with several notable attack campaigns, demonstrating its evolving capabilities and persistent threat:
Early Campaigns (2016-2020): These campaigns heavily relied on exploiting CVE-2017-11882 in Microsoft Office, using spear-phishing emails with malicious RTF documents. The malware used during this period included EHDevel and early versions of the YTY framework.
YTY/Jaca Framework Evolution (2020-2021): This period saw the development and deployment of the YTY/Jaca framework, a modular malware platform with components for various espionage activities. Different variants of the framework (Jaca, Gedit, Henos, DarkMusical) were delivered through different file types (PowerPoint, RTF, Excel).
Android Malware Campaigns (2021-Present): APT-C-35 has increasingly incorporated Android malware into its operations. This includes the use of rogue apps disguised as legitimate messaging services (e.g., "Tanzeem," "Tanzeem Update") and news apps (e.g., rogue Kashmir News Service Lite app). These apps exfiltrate sensitive data from compromised devices.
Recent campaigns (2024): It is also found disguised as legitimate messaging apps called "Tanzeem" or "Tanzeem Update."
Targeting Pakistan's Defense Sector (2024): A recent campaign showcased a shift in tactics, utilizing
.LNKfiles disguised as RTF documents to target Pakistan's manufacturing industry, particularly those supporting the maritime and defense sectors. This campaign involved improved encryption and C&C communication techniques.Khalistan Referendum Attack (2023 - Alleged): There were allegations of Indian hacker involvement in a cyberattack during the Khalistan referendum voting in Australia. While some speculated about APT-C-35's involvement, their past attack patterns suggest this may have been another group or a specially planned operation.
Rogue Google Play Apps (Recent): APT-C-35 has been linked to rogue apps distributed through Google Play, targeting Pakistani users. Examples include iKHfaa VPN and nSure Chat, published under the "SecurITY Industry" developer account. These apps exhibit suspicious data handling practices. It is important to know what is threat intelligence to prevent such attacks.
Defenses
Defending against APT-C-35 requires a multi-layered approach, encompassing both proactive and reactive measures:
Strong Email Security: Implement robust email filtering and security gateways to detect and block phishing emails with malicious attachments or links. This includes sandboxing and advanced threat analysis capabilities. One can follow the guide to ensuring security.
Endpoint Detection and Response (EDR): Deploy EDR solutions on all endpoints to monitor for suspicious activity, including process injection, shellcode execution, and unusual network connections.
Vulnerability Management: Maintain a rigorous patch management program to address known vulnerabilities, particularly in Microsoft Office and other commonly targeted software.
Network Segmentation: Segment networks to limit lateral movement and contain breaches.
Security Awareness Training: Educate users about the risks of phishing and social engineering. Train them to identify suspicious emails, attachments, and links.
Threat Intelligence: Leverage threat intelligence feeds and platforms to stay informed about APT-C-35's latest TTPs, indicators of compromise (IOCs), and malware signatures. Also, understand the importance of Indicator of compromise (IOC).
Scheduled Task Auditing: Regularly audit scheduled tasks on systems to identify and remove any unauthorized or suspicious tasks.
PowerShell Restrictions: Restrict the execution of PowerShell scripts for users who do not require it. Implement PowerShell logging and monitoring to detect malicious PowerShell activity.
Behavior-Based Detection: Utilize security solutions that employ behavior-based detection techniques to identify anomalous activity that may indicate a compromise.
Incident Response Plan: Develop and regularly test an incident response plan to ensure a swift and effective response to any potential breaches.
Mobile Device Security: Implement mobile device management (MDM) solutions to enforce security policies on mobile devices. Educate users about the risks of installing apps from untrusted sources.
Moving Target Defense (MTD): Consider MTD, which modifies the runtime environment and makes attacks difficult.
Regular Security Audits: Conduct regular security audits and penetration testing to identify vulnerabilities and weaknesses in the organization's security posture. One should know how to identify vulnerabilities.
Supply Chain Security: Evaluate and monitor the cybersecurity posture of third-party vendors, particularly those in the supply chain, to mitigate the risk of supply chain attacks. Supply chain attack is a major threat.
Conclusion
APT-C-35 (DoNot Team) represents a persistent and evolving cyber espionage threat, particularly for organizations in South Asia. The group's focus on government, military, and strategic industries, coupled with its continuous development of new tools and techniques, underscores the need for robust cybersecurity defenses. By understanding APT-C-35's origins, tactics, targets, and past campaigns, organizations can better prepare for and defend against this sophisticated threat actor. A proactive, multi-layered approach, incorporating threat intelligence, strong security controls, and user awareness, is essential to mitigating the risk posed by APT-C-35 and similar APT groups. The ongoing evolution of the group, including its recent shift to .LNK files and its use of Android malware, highlights the importance of continuous monitoring and adaptation in the face of this persistent threat. The OWASP projects can help the developers to prevent such attacks.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
