Rewterz Threat Alert – Donot APT group Targeting Pakistan

Severity

High

Analysis Summary

APT C-35 aka (Donot Team) has been actively dropping malicious RTF sample for template injection. The group has a history of attacking Pakistani government officials and military personnel and has been linked to India. They previously targeted Pakistani users with android malware named (StealJob) was used to target Pakistani android mobile users by Phishing on the name of “Kashmiri Voice” The attackers hunt for confidential information and intellectual property. The hackers’ targets include countries in South Asia, in particular, state sector of Pakistan.

The file name suggests that the malicious attachment is about the “Brief Report on International Boarder ” which iterates the reporting done on the international border and the activities on it. These type of reports are shared with highest level officials and the content in it is use to develop strategic planning. These kind of attacks are now in full flow to disintegrate Pakistan after Pakistan started performing better interms of economy and getting themselves retain in the FATF grey list where as India pushed Pakistan to the wire to be inducted to blacklist so they can take advantage of the situation and get their gain in the region. 

Impact

Information theft and Espionage

Indicators of Compromise

Filename

• Brief Report on International Boarder l 301-2(6[.]doc

MD5

• d8f19b4b3b74cf6f4cb2482c4dc88d37

SHA-256

• d417fe805ec25443ea2a0999f398ebacb6e366f7de69442757614cad2d36dc90

SHA1

• a15d011bed98bce65db597ffd2d5fde49d46cfa2

URL

• http[:]//firm[.]tplinkupdates[.]space/

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.