DoNot Team’s New Firebird Backdoor Hits Pakistan and Afghanistan

Cyber Security

Oct 23, 2023NewsroomCyber Espionage / Malware

The threat actor known as DoNot Team has been linked to the use of a novel .NET-based backdoor called Firebird targeting a handful of victims in Pakistan and Afghanistan.

Cybersecurity company Kaspersky, which disclosed the findings in its APT trends report Q3 2023, said the attack chains are also configured to deliver a downloader named CSVtyrei, so named for its resemblance to Vtyrei.

“Some code within the examples appeared non-functional, hinting at ongoing development efforts,” the Russian firm said.

Vtyrei (aka BREEZESUGAR) refers to a first-stage payload and downloader strain previously harnessed by the adversary to deliver a malware framework known as RTY.

DoNot Team, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is suspected to be of Indian origin, with its attacks employing spear-phishing emails and rogue Android apps to propagate malware.

The latest assessment from Kaspersky builds on an analysis of the threat actor’s twin attack sequences in April 2023 to deploy the Agent K11 and RTY frameworks.

The disclosure also follows Zscaler ThreatLabz’s uncovering of new malicious activity carried out by the Pakistan-based Transparent Tribe (aka APT36) actor targeting Indian government sectors using an updated malware arsenal that comprises a previously undocumented Windows trojan dubbed ElizaRAT.

“ElizaRAT is delivered as a .NET binary and establishes a C2 communication channel via Telegram, enabling threat actors to exert complete control over the targeted endpoint,” security researcher Sudeep Singh noted last month.

Active since 2013, Transparent Tribe has utilized credential harvesting and malware distribution attacks, often distributing trojanized installers of Indian government applications like Kavach multi-factor authentication and weaponizing open-source command-and-control (C2) frameworks such as Mythic.

In a sign that the hacking crew has also set its eyes on Linux systems, Zscaler said it identified a small set of desktop entry files that pave the way for the execution of Python-based ELF binaries, including GLOBSHELL for file exfiltration and PYSHELLFOX for stealing session data from the Mozilla Firefox browser.

“Linux-based operating systems are widely used in the Indian government sector,” Singh said, adding the targeting of the Linux environment is also likely motivated by India’s decision to replace Microsoft Windows OS with Maya OS, a Debian Linux-based operating system, across government and defense sectors.

Joining DoNot Team and Transparent Tribe is another nation-state actor from the Asia-Pacific region with a focus on Pakistan.

Codenamed Mysterious Elephant (aka APT-K-47), the hacking group has been attributed to a spear-phishing campaign that drops a novel backdoor called ORPCBackdoor that’s capable of executing files and commands on the victim’s computer, and receive files or commands from a malicious server.

According to the Knownsec 404 Team, APT-K-47 shares tooling and targeting overlaps with that of other actors such as SideWinder, Patchwork, Confucius, and Bitter, most of which are assessed to be aligned with India.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.