ESET advisers booty a abysmal attending into contempo attacks agitated out by Donot Team throughout 2020 and 2021, targeting government and aggressive entities in several South Asian countries
Donot Team (also accepted as APT-C-35 and SectorE02) is a blackmail amateur operating back at atomic 2016 and accepted for targeting organizations and individuals in South Asia with Windows and Android malware. A contempo address by Amnesty International links the group’s malware to an Indian cybersecurity aggregation that may be affairs the spyware or alms a hackers-for-hire account to governments of the region.
We accept been carefully afterward the activities of Donot Team, and accept traced several campaigns that advantage Windows malware acquired from the group’s signature yty malware framework. According to our findings, the accumulation is actual assiduous and has consistently targeted the aforementioned organizations for at atomic the aftermost two years.
In this blogpost, we certificate two variants of the malware acclimated in contempo campaigns – DarkMusical and Gedit. For anniversary of the variants, we assay the accomplished advance alternation and accommodate acumen into how the accumulation updates its tools, tactics, and techniques.
The campaigns of Donot Team are motivated by espionage, application their signature malware: the “yty” malware framework, whose capital purpose is to aggregate and abjure data. According to our telemetry, Donot Team focuses on a baby cardinal of targets in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal – as apparent in Figure 1.
These attacks are focused on:
Going as far as targeting embassies of these countries in added regions, such as the Middle East, Europe, North America, and Latin America, is additionally not alfresco Donot Team’s realm.
It’s not a aberration for APT operators to advance to achieve admission to a compromised arrangement afterwards they accept been ejected from it. In some cases this is accomplished through the deployment of a stealthier backdoor that charcoal quiet until the attackers charge it; in added cases they artlessly restart their operation with new malware or a alternative of the malware they acclimated previously. The closing is the case with Donot Team operators, alone that they are appreciably assiduous in their attempts.
According to ESET telemetry, Donot Team has been consistently targeting the aforementioned entities with after-effects of spearphishing emails with awful accessories every two to four months. Interestingly, emails we were able to retrieve and assay did not appearance signs of spoofing. Some emails were beatific from the aforementioned organizations that were actuality attacked. It’s accessible that the attackers may accept compromised the email accounts of some of their victims in beforehand campaigns, or the email server acclimated by those organizations.
With spearphishing emails, the attackers use awful Microsoft Office abstracts to arrange their malware. We accept apparent Donot Team application at atomic three techniques. One is macros in Word, Excel and PowerPoint documents, such as the archetype apparent in Figure 2.
The additional address is RTF files with .doc extensions that accomplishment anamnesis bribery vulnerability CVE‑2017‑11882 in Equation Editor, apparent in Figure 3. These RTF abstracts additionally accommodate two anchored DLLs as OLE altar (see Figure 4) that are acclimated to install and download added apparatus (both DLLs are declared in the Gedit section). This allows the attackers to assassinate shellcode and requires no user interaction. The shellcode deploys the capital apparatus of the malware.
The third address is alien RTF arrangement injection, which allows the attackers to accept a burden downloaded from a alien server back the RTF certificate is opened. This is accomplished by inserting a URL in the alternative *template ascendancy chat of the RTF book format, instead of the area of a bounded book resource. The burden that Donot Team uses is addition certificate that exploits CVE-2017-11882 and is loaded automatically already it is downloaded. This is apparent in Figure 5.
Discovered by NetScout in 2018, the yty malware framework is a beneath adult and ailing developed almsman to an earlier framework alleged EHDevel. The yty framework consists of a alternation of downloaders that ultimately download a backdoor with basal functionality, acclimated to download and assassinate added apparatus of Donot Team’s toolset.
These accommodate book collectors based on book addendum and year of creation, awning capturers, keyloggers, about-face shells, and more. As apparent in Figure 6, apparatus for beat accumulate the calm intelligence from staging folders and upload every book to a appointed server acclimated alone for this purpose.
Staging binder names and locations are afflicted with about every new campaign, as able-bodied as some of the components’ filenames. However, there are cases in which the names of apparatus accept remained unchanged, for example: gedit.exe, wuaupdt.exe, lmpss.exe, disc.exe, amid others. As apparent in Figure 7, it seems that for every new campaign, in adjustment to set new paths and filenames, these ethics charge be afflicted in the antecedent cipher and afresh recompiled, as none of these apparatus use a agreement block or file.
The malware uses appointed tasks for persistence, and alternates amid DLL and EXE files amid campaigns. In the case of DLLs, appointed tasks assassinate rundll32.exe to amount them and assassinate one of the exported functions.
The developers of the yty framework primarily await on the C programming language. Likely in an advance to balk detection, they accept additionally ported their apparatus to added languages such as VBScript, Python (packaged with PyInstaller), Visual C#, and AutoIt, amid others. However, back 2019 we accept alone apparent them leveraging apparatus programmed in C (Figure 8) and Go (Figure 9).
The malware sometimes uses two or three servers during its deployment. It ability use one server during its alternation of downloaders and a altered server that the backdoor contacts in adjustment to accept its commands and download added components, or use the aforementioned server for both purposes. A altered server is consistently acclimated for the upload of calm information. In some attacks Donot Team has reused C&C domains from antecedent attacks – both for downloads and exfiltration. As apparent in Figure 10, Figure 11 and Figure 12, these apparatus – afterwards declared as a alternative we clue as DarkMusical – acclimated in the aforementioned attack, active three altered C&C domains.
Here we alarm the malware variants acclimated in contempo Donot Team campaigns, with a focus on their Windows malware, starting from September 2020 until October 2021. For clarity, we accept afar them into two variants of the yty malware framework: Gedit and DarkMusical, with one specific advance application Gedit that we alleged Henos.
In Figure 13, we present a timeline, according to our telemetry, of the attacks. Additionally on our timeline we accept included attacks from addition variant, accepted as the “Jaca framework”. However, we will not alarm it actuality as it has been declared abundantly in this address by CN-SEC.
According to ESET telemetry, the aboriginal beachcomber of attacks area this alternative was acclimated occurred in June 2021, targeting aggressive organizations in Bangladesh. We were alone able to balance its alternation of downloaders and its capital backdoor. Given the baby cardinal of victims, we accept this ability accept been a awful targeted attack.
In September, a additional beachcomber of attacks that targeted aggressive organizations in Nepal acclimated new C&C servers and book and staging binder names. We were able to balance a cardinal of apparatus downloaded by the backdoor, so we accept absitively to alarm these attacks instead.
Spearphishing emails were beatific with PowerPoint abstracts absolute a macro that deploys the aboriginal basic of a alternation of downloaders and persists application a appointed task. Back abeyant victims accessible these documents, they will be presented with a affected absurdity message, as apparent in Figure 14, and the abstracts will abide bare of any arresting content.
As apparent in Figure 15, the alternation of downloaders aims to download a final basic that works as a backdoor with basal functionality: it downloads standalone components, executes them application the ShellExecute Windows API, get and saves new C&C URLs.
The backdoor downloads the apparatus that handle the accumulating and beat of advice to a committed server. These apparatus do not acquaint with the backdoor or the C&C to address on their activities – rather, they use a appointed binder for the staging of the data, and a abstracted beat basic will aggregate aggregate and upload it.
We absitively to alarm this advance DarkMusical because of the names the attackers chose for their files and folders: abounding are western celebrities or characters in the cine High School Musical. Table 1 briefly describes the purpose of anniversary of the apparatus in the alternation of compromise.
Table 1. Apparatus in the DarkMusical advance alternation of compromise
In Table 2 we alarm the purpose of anniversary basic of the attacker’s toolset.
Table 2. Description of apparatus in the attacker’s toolset for DarkMusical
Collects files by extension: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx
Enumerates all files in %public%MusicSymphony and uploads those that bout the extensions: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx
We detected the aboriginal attacks of the advance application Gedit in September 2020, adjoin organizations in Pakistan that had already been targeted with spearphishing and awful RTF abstracts that installed the Jaca framework. Back then, Donot Team confused on to focus on targets in Bangladesh, Nepal and Sri Lanka. The malware is acutely acquired from the yty malware framework, but it is audible abundant to be afar from DarkMusical.
We were able to retrieve a spearphishing email agnate to a Gedit advance that occurred in February of 2021, which is apparent in Figure 16. The aboriginal adapter independent a account of cadre from a aggressive article in Bangladesh (and no awful content). The additional adapter showed annihilation but a bare page, while active awful code.
We can see that the admeasurement of the additional book is greater than 2 MB. It is an RTF book that exploits CVE-2017-11882 to bead two DLL files independent in the certificate and assassinate one of them. Added apparatus are downloaded to the compromised computer in assorted stages. An overview of this advance alternation and its malware apparatus is apparent in Figure 17.
The apparatus were coded in Go, and C (with MinGW and Visual Studio compilers). We accept called to alarm the apparatus acclimated in that advance in February 2021, which are apparent in Table 3.
Table 3. Description of apparatus for Gedit variant
Creates a appointed assignment MobUpdate to assassinate rundll32.exe %USERPROFILE%Documentsmsdn022.dll,iorpiyhduj
Writes and executes %APPDATA%test.bat, which: • Writes <COMPUTERNAME>-<RANDOM_NUMBER> to %USERPROFILE%Policyen-usFileswizard • Creates the appointed assignment TaskUpdate to assassinate %USERPROFILE%infboostOOOnprint.exe • Creates the appointed assignment MachineCore to assassinate %USERPROFILE%CursorSizeDatesWinhlp.exe
Seeks files with the extensions: doc, docx, xls, xlsx, ppt, pps, pptx, ppsx, pdf, inp, msg, jpg, jpeg, png, txt
Excludes the afterward files/folders: ., .., nohiucf, Windows, Contempo Places, Temfile, Program Files, Program Files (x86), ProgramData, Microsoft, Package Cache
This basic runs in an absolute loop, bombastic drives from C: to H:
The victim identifier that was accounting to %USERPROFILE%Policyen-usFileswizard is added to the URL. If the book doesn’t exist, afresh the absence cord HeloBSiamabcferss is acclimated instead. User-agent is: If people are doubting how far you can go, go so far that you can not hear them anymore. Michele Ruiz.
It creates a arrangement accident aaaaaaaaa to accomplish abiding that alone one instance of the basic is active at a time.
Finally, it is account advertence a beachcomber of attacks that occurred amid February and March 2021, targeting aggressive organizations in Bangladesh and Sri Lanka. These attacks acclimated the Gedit alternative of the malware, but with some accessory modifications. Therefore, we absitively to name this advance Henos in our timeline, afterwards its backdoor DLL – henos.dll.
Samples acceptance to apparatus of this beachcomber of attacks were additionally appear online in February, which apparently explains why the accumulation didn’t use the apparatus afresh (see this cheep by Shadow Chaser Accumulation researchers, for example).
Although we didn’t acquisition the agnate spearphishing emails or awful documents, the advance alternation is apparently the aforementioned as we declared above, with some accessory differences in how the apparatus are executed. An overview of this is apparent in Figure 18.
While some of the apparatus of this advance are alleged javatemp.exe and pytemp.exe, these filenames were apparently alone called in an advance to actor accepted software such as Java or Python. While pytemp.exe and plaapas.exe were coded in the Go language, javatemp.exe was coded in C (compiled with MinGW).
One final agenda is that the basic that performs beat of files, pytemp.exe, performs a analysis to see if gedit.exe is running. If two or added instances are found, it exits. We accept this is a aberration by the programmers, as it should analysis for pytemp.exe instead. However, this simple aberration helps us tie the Henos advance to the Gedit alternative of the malware (added to cipher similarity).
Donot Team makes up for its low composure with tenacity. We apprehend that it will abide to advance on behindhand of its abounding setbacks. Alone time will acquaint if the accumulation evolves its accepted TTPs and malware.
For any inquiries, or to accomplish sample submissions accompanying to the subject, acquaintance us at [email protected]
A absolute account of Indicators of Accommodation (IoCs) and samples can be begin in our GitHub repository.
Reverse carapace server
Reverse carapace servers
Reverse carapace server
Reverse carapace server
Reverse carapace servers
This table was congenital application adaptation 10 of the ATT&CK framework.
A template is a document afterward preset layout, formatting, and settings that acts as a basic structure for a document. Word offers templates as a lead for creating readable, uniform documents. Unless you specify a template subsequent to dawn a further document, Word automatically bases documents upon the usual template.
Templates are a special type of Word file that can sustain text, styles, macros, keyboard shortcuts, custom toolbars, QAT and Ribbon modifications, and Building Blocks including AutoText entries for use in extra documents. This is exchange from the adequate English-language term “template” although derived from that term. It is jargon.
Whether youre starting from a built-in template or updating one of your own, Word’s built-in tools assist you update templates to raid your needs. To update your template, way in the file, make the changes you want, and after that keep the template.
The basic idea of templates is to pay for you or someone else a boost in creating a additional document. If your template is full of errors, those errors will replicate themselves ad infinitum! That isn’t something that you need. It isn’t an example that you want to set. If what you really desire to allowance is text, try sharing it as an AutoText entry.
Make Microsoft Word Templates Reports
Creating standardized documents as soon as the thesame typefaces, colors, logos and footers usually requires lots of double-checking. But in imitation of templates, you forlorn have to pull off the grunt action once.Just set occurring your structure and style in advanceand type in the sentences you count in most documentsand you’ll keep mature whenever you create a other file in Google Docs or Microsoft Word. Then, similar to tools taking into account Formstack Documents and HelloSign, you can build customized documents for clients and customers automatically.
To create spreadsheet templates. Spreadsheets are in the same way as LEGO bricks: You begin considering a bunch of seemingly random pieces, and viewpoint them into mysterious structures. But unlike a tower of blocks, spreadsheets dont collapse if you alternating out or cut off an individual componentso you can reuse and cut them endlessly. That’s why they create great template tools. Even better, creating a spreadsheet template lets you apply the thesame conditional formatting to combination data sets. The tips here produce an effect in most spreadsheet toolsso check out our roundup of the Best Spreadsheet Apps for more options, along taking into consideration some spreadsheet archives and other tutorials.
There are two ways to make templates in Asana: begin a new project and keep it as a template, or duplicate an existing project. If you go similar to the second option, you’ll want to alter the sections and tasks to make them more generic. For templates, just gate an existing project, click the dropdown menu at the top-right of the main window, and choose Use as a Template (Copy Project). Asana recommends creating project templates for processes taking into consideration five or more stepseither by reusing an antiquated project as a template, or past a extra project designed just to be a template. However, for processes following five or fewer steps, you should create task templates. As taking into account project templates, just go to a new template task, or duplicate an existing task and correct it. create your templates easy-to-access by creating a template tag. You can ensue it to the invade tasks, then favorite your template tag. Now, every of the tasks tagged template will piece of legislation going on in your left sidebar where you can easily reproduce them as soon as needed.
Survey design is a amalgamation of art and science. behind you’ve found a winning concentration of length, design, wording, and formatting, use a template to repeat your finishing another time and another time (not to mention, shave unnatural era from the survey start process).
Crafting a beautiful email for your customers and connections takes a lot of get older and energy, hence having go-to templates is a big productivity boost. Email list tool Mailchimp includes the tools needed to make lovely email templates that will be automatically customized for your readers. You can admission templates at any times by clicking Templates in the upper navigation bar. To create a new one, select create Template. Mailchimp’s templates come in two flavors: Basic (blank layouts) and Themes (pre-designed and pre-formatted templates). If you’re creating an email mix up roughly speaking recommendation from a swing site, you can use an AutoConnect template (found below Themes.) considering you affix an AutoConnect template to substitute application (options supplement iTunes, Twitter, Facebook, SurveyMonkey, Eventbrite, eBay, and Etsy), Mailchimp will tug in the relevant info and images. For example, let’s say you’re promoting an Etsy product. Set happening an AutoConnect template bearing in mind Etsy, and Mailchimp will pull in your header image, profile info, and link to your shop. If you regularly broadcast blog posts, you’ll locate the RSS-to-email templates in reality handy. choose a style, say Mailchimp which RSS feed you’d taking into consideration to use, and decide on a cadence (daily, weekly, or monthly). Now your subscribers will consistently acquire open content, and you don’t have to lift a finger. similar to you’re ready to send out a campaign, click the Campaigns tally and pick create Campaign. with you’ve chosen the details of your trouble and entered the Design stage, you’ll be skilled to choose a template. Copy, delete, and reorganize your text and describe blocks to create a unique savings account of your template, or depart it as is. Then, send it off. Mailchimp then lets you duplicate individual campaigns. Go help to your Campaigns tab, find the one you desire a copy of, click the dropdown arrow, and pick Replicate.
considering you keep a file created later than a template, you are usually prompted to save a copy of the file, appropriately that you don’t save on top of the template. Templates can either come considering a program or be created by the user. Most major programs retain templates, as a result if you find yourself creating similar documents exceeding and over again, it might be a fine idea to save one of them as a template. next you won’t have to format your documents each era you want to create a further one. Just open the template and begin from there.
Note that attaching a template doesnt fuse any text or graphics stored in that template. without help the styles (plus custom toolbar and macros) are multipart into your document. You can next follow these steps to unattach a template.
Microsoft Word Templates Reports
To tidy in the works text from a converted document, save it in RTF (or even text) format, reopen that and keep it once more as a document file. Copy that text into a new document based on a hermetically sealed template. save that supplementary document as your template. after that apply capture styles to all of the text in your document.
If you create a document from a template, that is the attached template for that document, unless there is a exchange template next the same say upon the computer in one of three places: The thesame compilation as the document. If there is a template like the same pronounce as the attached template in the lp containing the document, Word 2003-2019 will enhance to that template the bordering period the document is opened. The addict Templates folder. (Word will not count a template of the same read out if there is as a consequence one in the similar stamp album as the document.) The Workgroup Templates folder. (Word will not tally a template of the thesame reveal if there is furthermore one in the user Templates book or the baby book containing the document.)
Anyone can make a template read-only to protect it from unwanted changes. If you need to correct the template, helpfully repeat the process to uncheck the Read-only property back foundation the template. If you are looking for Microsoft Word Templates Reports, you’ve arrive to the right place. We have some images about Microsoft Word Templates Reports including images, pictures, photos, wallpapers, and more. In these page, we plus have variety of images available. Such as png, jpg, breathing gifs, pic art, logo, black and white, transparent, etc.