The CYFIRMA research team has identified a new Android malware attributed to the Indian APT group ‘DONOT’, utilizing a seemingly benign application named “Tanzeem” to gather intelligence against internal threats. The app misuses the OneSignal platform to send phishing notifications, and its permissions allow extensive access to user data. Affected: Android
Keypoints :
- The ‘DONOT’ APT group is linked to Indian national interests and targets internal threats.
- The application “Tanzeem” disguises itself as a chat app but fails to function properly.
- OneSignal is misused to push phishing notifications to users.
- The app requests dangerous permissions that allow data extraction and device monitoring.
- The group employs evolving tactics to maintain persistence and gather intelligence.
MITRE Techniques :
- Defense Evasion (T1406) – Uses obfuscation techniques to hide malicious code within the APK.
- Discovery (T1420) – Enumerates files and directories on the device to locate valuable information.
- Credential Access (T1417) – Captures keystrokes to steal sensitive credentials like usernames and passwords.
- Discovery (T1426) – Collects device information, such as device model and user details.
- Collection (T1533) – Extracts data such as contacts, messages, photos, and videos from the infected device.
- Collection (T1513) – Takes screenshots and records video of the infected device to capture sensitive information.
- Exfiltration (T1646) – Sends stolen data (e.g., contacts, messages, credentials) to the C2 server.
Indicator of Compromise :
- [file hash] 8689D59AAC223219E0FDB7886BE289A9536817EB6711089B5DD099A1E580F8E4
- [file hash] D512664DF24B5F8A2B1211D240E3E767F5DD06809BB67AFA367CDC06E2366AEC
- [domain] toolgpt[.]buzz
- [domain] Updash[.]info
- [sub-domain] Solarradiationneutron[.]appspot[.]com
- Check the article for all found IoCs.
Full Research: https://www.cyfirma.com/research/android-malware-in-donot-apt-operations/