ESET researchers analyzed two variants of the yty framework: Gedit and DarkMusical. Their espionage attacks target governments and militaries in South Asia. The main task of the yty malware framework is to collect and exfiltrate data.
The hacking group Donot Team (also known as APT-C-35 or SectorE02) has been conducting espionage attacks on embassies, government and military facilities, and foreign ministries for at least two years. According to ESET researchers' analysis, the group's campaigns focused on targets in Bangladesh, Sri Lanka, Pakistan and Nepal. Their diplomatic facilities in Europe, the Middle East and America were also attacked.
Targeting Bangladesh, Sri Lanka, Pakistan and Nepal
"We have investigated the activities of the Donot team very closely and have uncovered several campaigns," says Facundo Muñoz, ESET researcher and lead investigator. "In their attacks, the hackers rely on Windows malware derived from the group's yty malware framework."
The main purpose of the yty malware framework is to collect and exfiltrate data. The framework consists of a chain of downloaders that ultimately download a backdoor to install, through which other components of the Donot Team tools are downloaded and run. These include file collectors, screen capturers, keyloggers, reverse shells, and more.
Spearphishing attacks on facilities
A close look at the analytics data revealed that the Donot team was targeting the same facilities with spearphishing emails every two to four months. The messages contain malicious Microsoft Office documents attached, which the attackers use to proliferate their malware. Interestingly, the emails that the ESET researchers were able to examine showed no signs of spoofing. “Some messages were sent by the same organizations that were attacked. It's possible that the attackers compromised the mailboxes of some of their victims in previous campaigns, or the mail servers used by these organizations,” says Muñoz.
In their latest blog article, ESET researchers analyze two variants of the yty malware framework: Gedit and DarkMusical. The experts at the European IT security manufacturer decided to name a variant DarkMusical because the attackers chose the names of Western celebrities or characters from the film "High School Musical" for their data and folders. This malware was used in espionage attack campaigns that also targeted military installations in Bangladesh and Nepal.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.