Post

DoNot APT Expands Scope: Targeting European Foreign Ministries with LoptikMod Malware

The DoNot APT group, likely linked to India, has expanded its operations to target European foreign ministries using LoptikMod malware. Discover the sophisticated tactics and implications of this cyberespionage campaign.

DoNot APT Expands Scope: Targeting European Foreign Ministries with LoptikMod Malware

TL;DR

The DoNot APT group, believed to be connected to India, has broadened its cyberespionage activities to target European foreign ministries using LoptikMod malware. This campaign highlights the group’s evolving tactics and the need for robust cybersecurity measures.

DoNot APT Expands Scope: Targeting European Foreign Ministries

The DoNot APT group, likely linked to India, has expanded its operations to target European foreign ministries with a new malware called LoptikMod. This group, also known as APT-C-35 and Origami Elephant, has been active since 2016, focusing on government entities, defense organizations, and NGOs in South Asia and Europe.

Sophisticated Cyberespionage Campaign

DoNot APT employs custom Windows malware via phishing for espionage, enabling long-term access and data theft. In a recent campaign analyzed by cybersecurity firm Trellix, the group used LoptikMod malware to steal sensitive data from infected systems.

Spear-Phishing Tactics

Attackers utilized a spear-phishing email impersonating defense officials to target a European diplomatic entity. The email delivered the LoptikMod malware through a password-protected RAR file hosted on Google Drive. The archive contained a disguised executable (notflog.exe) with a PDF icon to deceive users into running the malware.

Malware Deployment and Persistence

Once opened, the disguised executable established persistence using a scheduled task and connected to a command and control (C2) server. The malware sent system information, received commands, and downloaded additional payloads, employing binary string obfuscation and techniques linked to DoNot APT.

Evasion Techniques

The malware uses selective obfuscation by packing only critical code sections, hindering static analysis. It minimizes listed imports and loads APIs like LoadLibrary and GetProcAddress at runtime to evade detection. The malicious code also includes anti-VM checks and encrypts gathered system information with AES before communicating with the C2 server over HTTPS.

Implications and Recommendations

The campaign reflects the group’s ongoing espionage efforts using sophisticated infection chains and deception tactics. The targeting of a European foreign affairs ministry underscores their expanding scope and persistent interest in gathering sensitive information, highlighting the need for heightened vigilance and robust cybersecurity measures.

“The email leveraged diplomatic themes related to defense attaché coordination between Italy and Bangladesh.” 1

Malware Analysis

Additional Resources

For further insights, check:

References

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

For more details, visit the full article: source

This post is licensed under CC BY 4.0 by the author.