Rewterz Threat Alert – Donot APT Group Targeting Pakistani Officials – Active IOCs

Severity

Medium

Analysis Summary

Donot APT group has been actively dropping malicious samples and targeting Government users to exfiltrate data. The group has previously been active in the past and has now again shifted its focus to phishing campaigns. The group has a history of attacking Pakistani government officials and military personnel and has been linked to India. They previously targeted Pakistani users with android malware named (StealJob) was used to target Pakistani android mobile users by Phishing on the name of “Kashmiri Voice” The attackers hunt for confidential information and intellectual property. The hackers’ targets include countries in South Asia, in particular, the state sector of Pakistan.

This time they’re targeting Pakistani officials with a decoy document names (Indian Military Out.doc) which seems to focus on the exit of Indian armed troops from the Kashmir Valley with hopes that that the victims fall prey to this decoy document because of the nature of the state of affairs in the Kashmir Valley. This trickery has been the most useful armor for them in their arsenal because in this way they tend to find more targets among people who are passionate about the Kashmir issue and for the people of Kashmir. 

Impact

• Information Theft and Espionage
• Data exfiltration

Indicators of Compromise

Domain Name

• Indian Military Out[.]doc

MD5

• b247a6ec5ee4d2280acc33dd929d637b

SHA-256

• 5cff3f8205d5d6991185a1650b9fb1ff31dea5e750be2e62e59e1c96701c47c8

SHA-1

• bf5ed14eed16026b6306fb114c92da0b1078fe28

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.