Press Center

Malware and antivirus software

News

ESET Research investigates Donot Team: Cyberespionage targeting military & governments in South Asia

Created: 2022-01-18 10:06:37

  • ESET has analyzed two variants of the yty malware framework: Gedit and DarkMusical. ESET researchers have decided to call one of the variants DarkMusical because many of the names the attackers chose for their files and folders are inspired by the movie High School Musical. 
  • These attacks are focused on government and military organizations, Ministries of Foreign Affairs, and embassies and are motivated by cyberespionage.
  • Targets are primarily located in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal. However, targeting embassies of these countries in other regions, such as the Middle East, Europe, North America, and Latin America, has been observed.
  • ESET’s investigation spans more than a year from September 2020 to October 2021.
  • A recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware.
  • The group has consistently targeted the same organizations for at least the last two years and it’s possible that the attackers have compromised the email accounts of some of their victims.

BRATISLAVA, MONTREAL — January 18, 2022 — ESET researchers have uncovered recent campaigns and an updated threat arsenal of the infamous APT group Donot Team (also known as APT-C-35 and SectorE02). According to research findings, the group is very persistent and has consistently targeted the same organizations for at least the last two years. For this research, ESET monitored Donot Team for more than a year from September 2020 to October 2021. According to ESET telemetry, the APT group focuses on a small number of targets primarily in South Asia — Bangladesh, Sri Lanka, Pakistan and Nepal. However, targeting embassies of these countries in other regions, such as the Middle East, Europe, North America, and Latin America, is not outside the group’s realm. These attacks are focused on government and military organizations, Ministries of Foreign Affairs, and embassies and are motivated by cyberespionage.

Donot Team is a threat actor operating since at least 2016 that is known for targeting organizations and individuals in South Asia with Windows and Android malware. A recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region.

“We have been closely following the activities of Donot Team, and have traced several campaigns that leverage Windows malware derived from the group’s signature yty malware framework,” says ESET researcher Facundo Muñoz, who led the investigation into the group’s activities.

The main purpose of the “yty” malware framework is to collect and exfiltrate data. The malicious framework consists of a chain of downloaders that ultimately download a backdoor with minimal functionality, used to download and execute further components of Donot Team’s toolset. These include file collectors based on file extension and year of creation, screen capturers, keyloggers, reverse shells, and more.

Countries targeted in recent Donot Team campaigns

According to ESET telemetry, Donot Team has been consistently targeting the same entities with waves of spearphishing emails every two to four months. The spearphishing emails have malicious Microsoft Office documents attached that the attackers use to deploy their malware.

Interestingly, the emails that ESET researchers were able to retrieve and analyze did not show signs of spoofing. “Some emails were sent from the same organizations that were being attacked. It’s possible that the attackers may have compromised the email accounts of some of their victims in earlier campaigns, or the email server used by those organizations,” says Muñoz.

In the latest blogpost, ESET has analyzed two variants of the yty malware framework: Gedit and DarkMusical. ESET researchers have decided to call one of the variants DarkMusical because of the names the attackers chose for their files and folders: many are western celebrities or characters in the movie High School Musical. This variant was used in campaigns targeting military organizations in Bangladesh and Nepal.

For more technical details about the Donot Team’s latest campaigns, read the blogpost “DoNot Go! Do not respawn!” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 



About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

back

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.