Threat Research

DONOT’s Assault on Maritime and Defense Manufacturing

Securonix

Summary:

Cyble Research and Intelligence Labs (CRIL) identified a campaign linked to the APT group DONOT, targeting Pakistan’s manufacturing sector related to maritime and defense. The attack employs a malicious LNK file disguised as an RTF, utilizing PowerShell for payload delivery and establishing persistence through scheduled tasks. The campaign showcases evolved tactics, including enhanced encryption methods and dynamic domain generation for command and control (C&C) communication.

Keypoints:

  • CRIL discovered a campaign associated with the APT group DONOT targeting the manufacturing industry in Pakistan.
  • The attack vector involves a malicious LNK file disguised as an RTF file.
  • PowerShell is used to decrypt and execute the payload.
  • A scheduled task is created to ensure the malware runs every five minutes for persistence.
  • Random domains are generated for backup C&C servers.
  • The encryption method for C&C communication has evolved from previous campaigns.
  • The stager malware collects system information before delivering the final payload.
  • The campaign showcases a shift from Microsoft Office files to LNK files as the initial infection vector.

MITRE Techniques

  • Phishing (T1566): This campaign is likely to reach users through spam emails.
  • Command and Scripting Interpreter: PowerShell (T1059.001): PowerShell commands are used to decrypt and execute the lure RTF file and stager DLL payload.
  • Command and Scripting Interpreter: Windows Command Shell (T1059.003): Cmd.exe is used to copy PowerShell.exe to the %temp% directory as “2SqSxDA2.exe”.
  • System Binary Proxy Execution: Rundll32 (T1218.011): Rundll32.exe is used to execute the stager payload.
  • Scheduled Task/Job: Scheduled Task (T1053.005): A scheduled task is created for persistence, running the DLL payload regularly via rundll32.exe.
  • Indicator Removal on Host: File Deletion (T1070.004): Temporary PowerShell.exe file (“2SqSxDA2.exe”) is deleted after executing the malicious commands.
  • Obfuscated Files or Information (T1027): XOR and AES encryption mechanisms are used in various stages of the attack.
  • Application Layer Protocol: Web Protocols (T1071.001): GET and POST requests are sent to the Threat Actor’s C&C server.
  • Remote File Copy (T1105): The additional payload is downloaded from the C&C server using a URL provided in the configuration.
  • Exfiltration Over C2 Channel (T1041): Extensive system information is collected and exfiltrated to the C&C server via encrypted communication.

IoC:

  • [domain] internalfileserver[.]online
  • [ip address] 94[.]141.120[.]137
  • [file hash] cffe7eb01000de809b79a711702eaf3773f2e6167ce440f33f30bcd6fabcace3 (SHA-256)
  • [file hash] a7893c54edaecaa0e56010576a8249ad9149456f5d379868a0ecaa4c5c33fa70 (SHA-256)

Full Research: https://cyble.com/blog/donots-attack-on-maritime-defense-manufacturing/

Tags: PROXY, SPAM, PAYLOAD, EXFILTRATION, BACKUP, full, APT, PERSISTENCE