Rewterz Threat Alert – Donot APT Group – Active IOCs

Severity

High

Analysis Summary

Donot APT, also known as Advanced Persistent Threat, is a highly sophisticated and persistent cyber threat group that has been active in recent years. Their activities primarily focus on conducting targeted cyber espionage campaigns against various organizations, including government entities, defense contractors, and technology companies.

Donot APT has demonstrated advanced technical capabilities and employs a range of sophisticated tactics, techniques, and procedures (TTPs) to gain unauthorized access to their targets’ networks and steal sensitive information. They often utilize a combination of social engineering, spear-phishing emails, and zero-day vulnerabilities to compromise their victims’ systems.

Once inside the targeted network, Donot APT engages in lateral movement, escalating privileges, and maintaining persistent access. They employ custom-built malware, including remote access trojans (RATs), backdoors, and keyloggers, to exfiltrate data and maintain control over compromised systems. Additionally, they leverage advanced anti-forensic techniques to evade detection and maintain their presence within the targeted networks for extended periods, sometimes lasting years.

Attribution of Donot APT to a specific nation-state or organization is challenging, as they exhibit a high level of operational security and employ false flag techniques to misdirect investigators. However, security researchers and intelligence agencies have linked the group to state-sponsored cyber activities.

Impact

• Information Theft and Espionage

Indicators of Compromise

MD5

• bf7836d634aaa756c7bc9d3bfd445243

SHA-256

• 2766a045696f112f7c55f76ce50e55b608ad5c9faae8e2612cfa02aacd7e0d93

SHA-1

• a2ff9d24e7a4e13dd6bdbcc5fb5404201270a6a6

URL

• http://liberty.tourexplore.shop/pueruuueuugeru4kka0odf/ewkkzkk457zkrfkefrkdx0o

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.