Indian Innefu Lab’s Donot Team updates its Windows malware framework

The threat actor which had a connection with the Indian cybersecurity firm “Innefu Labs” that are persistent in its attacks against military organizations based in South Asia, including Bangladesh, Nepal, and Sri Lanka since 2016.

In Oct 2021, Amnesty International released a report stating the connection links between the Donot Team (APT- C-35) group’s spyware and infrastructure used in the attacks and Innefu Labs, a cybersecurity company based in India by identifying the IP address that was connected to the infrastructure used for the allocation of Donot Team spyware in the cyber attacks targeting the human rights activist in Togo.

Innefu Labs

Innefu lab was founded in 2010 by Tarun Wig and Abhishek Sharma. It has developed a niche in the indigenous Artificial Intelligence Products and provides services for law enforcement. The firm has won quite a few elite customers from Indian defence and CRPF for its multifactor authentication solutions.

Now, Morphisec labs discovered that Donot Team added new capabilities to its Jaca Windows malware framework. The attack starts when the group sends messages using RTF documents that trick users into enabling macros. Once the macros are enabled, a piece of shellcode is injected into memory, and then it downloads and executes a second-stage shellcode from the C2 server.

Donot’s latest spear phishing email documents contain malicious Microsoft office documents and other known vulnerabilities in the productivity software to launch the backdoor.

The Donot Team group customizes the“yty” malware framework in attacks. Malware in use is suitable for both Windows machines and Android handsets. According to the ESET researchers, the group will continuously attacking target network through this.

If a victim open that attached document, they are at high risk through malicious macros or .RTF files with .doc extensions that contain an exploit for CVE‑2017‑11882, a Microsoft Office memory corruption flaw leading to remote code execution (RCE).

At last ESET researchers concluded that “Donot Team makes up for its low sophistication with tenacity”. Defending against APTs like Donot Team requires Defense-in-Depth strategy that uses multiple layers of security to ensure redundancy if any given layers are breached.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store