DoNot Team’s New Firebird Backdoor Hits Pakistan and Afghanistan

DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan

October 23, 2023 at 02:09PM

DoNot Team, a threat actor suspected to be of Indian origin, has been using a new .NET-based backdoor called Firebird to target victims in Pakistan and Afghanistan. The attack also involves a downloader named CSVtyrei. Kaspersky discovered the attack and noted ongoing development efforts. Transparent Tribe, another hacking group, has been targeting Indian government sectors with an updated malware arsenal, including a new trojan called ElizaRAT. A third nation-state actor, Mysterious Elephant, has been identified with a focus on Pakistan. They utilize spear-phishing campaigns and a backdoor called ORPCBackdoor.

Meeting Takeaways:

– The threat actor known as DoNot Team, also known as APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin. They have been linked to cyber-espionage activities targeting victims in Pakistan and Afghanistan.
– DoNot Team utilizes spear-phishing emails and rogue Android apps to propagate malware.
– Kaspersky’s APT trends report Q3 2023 disclosed that DoNot Team uses a novel .NET-based backdoor called Firebird and a downloader named CSVtyrei.
– Vtyrei (aka BREEZESUGAR) is a first-stage payload and downloader strain previously used by DoNot Team to deliver the RTY malware framework.
– The Russian firm, Kaspersky, noted that the samples of DoNot Team’s code showed ongoing development efforts, with some code appearing non-functional.
– Zscaler ThreatLabz recently uncovered malicious activity by the Pakistan-based Transparent Tribe (aka APT36) targeting Indian government sectors. They use an updated malware arsenal, including a previously undocumented Windows trojan called ElizaRAT.
– Transparent Tribe, active since 2013, utilizes credential harvesting and malware distribution attacks, often distributing trojanized installers of Indian government applications and weaponizing open-source command-and-control frameworks.
– Transparent Tribe has also shown interest in Linux systems, with identified desktop entry files that enable the execution of Python-based ELF binaries for file exfiltration and session data theft.
– Another nation-state actor from the Asia-Pacific region, codenamed Mysterious Elephant (aka APT-K-47), has been attributed to a spear-phishing campaign using a novel backdoor called ORPCBackdoor to execute files and commands on victims’ computers.
– APT-K-47 shares tooling and targeting overlaps with other actors aligned with India, such as SideWinder, Patchwork, Confucius, and Bitter.
– India’s decision to replace Microsoft Windows OS with Maya OS (a Debian Linux-based OS) in government and defense sectors may have motivated the targeting of Linux systems.

Please let me know if you need any further information or clarification.

Full Article