HQ/EMEAFind out how we can help your business
The cyber threat group DoNot Team has allegedly used the novel Firebird backdoor to attack Pakistan and Afghanistan.
Moreover, these attackers have paired the .NET-based backdoor to a new CSVtyrei downloader in their attack chain. Some code sections within the samples appeared non-functional, implying that the backdoor is in its developmental stage.
Vtyrei, or BREEZESUGAR, refers to a first-stage payload and downloader strain previously employed by the threat actor to distribute a malware framework known as RTY.
Researchers believe that the DoNot Team has an Indian origin.
Studies show that the DoNot Team has various aliases, such as APT-C-35, Origami Elephant, and SECTOR02, and has ties with Indian threat actors. They commonly employ spear-phishing emails and malicious Android apps to spread malware.
In addition, the group also has a twin attack sequence that was executed in April 2023 to deploy the Agent K11 and RTY frameworks. This malicious operations’ emergence followed the discovery of new malicious activities carried out by Transparent Tribe, a group based in Pakistan (also known as APT36), targeting Indian government sectors.
The group have utilised an updated arsenal of malware that includes a previously undocumented Windows trojan named ElizaRAT.
The malware operators deployed ElizaRAT as a .NET binary and established a Telegram command-and-control (C2) communication channel. This tactic allowed them complete control over the targeted endpoints.
Transparent Tribe, active since 2013, has adopted various techniques like credential harvesting and malware distribution attacks. They have often distributed trojanized installers of Indian government apps and weaponised open-source C2 frameworks like Mythic.
The researchers also noted that the hacking group expands their targeted scope by targeting Linux systems. Furthermore, they have also identified a small set of desktop entry files that enable the execution of Python-based ELF binaries. These include GLOBSHELL for file exfiltration and PYSHELLFOX for stealing session data from the Mozilla Firefox browser.
Linux-based operating systems are prevalent in the Indian government sector. The targeting of the Linux environment is likely motivated by India’s decision to replace Microsoft Windows OS with Maya OS, a Debian Linux-based operating system, across government and defence sectors.
The tension between these countries will likely increase since they have been exchanging cyberattacks every year.
