{"id":149654,"date":"2022-01-20T12:38:34","date_gmt":"2022-01-20T09:38:34","guid":{"rendered":"https:\/\/www.enerjigazetesi.ist\/?p=149654"},"modified":"2022-01-20T12:50:17","modified_gmt":"2022-01-20T09:50:17","slug":"siber-casusluk-hizini-kesmiyor","status":"publish","type":"post","link":"https:\/\/www.enerjigazetesi.ist\/en\/siber-casusluk-hizini-kesmiyor\/","title":{"rendered":"DoNot Go! Do Not Respawn!"},"content":{"rendered":"<p><\/p>\n<h2><strong>Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting organizations and individuals in South Asia with Windows and Android malware. A recent\u00a0report by Amnesty International\u00a0links the group\u2019s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region.<\/strong><\/h2>\n<p>We have been closely following the activities of <strong>Donot Team<\/strong>, and have traced several campaigns that<img loading=\"lazy\" class=\"alignright wp-image-149657\" src=\"https:\/\/www.enerjigazetesi.ist\/wp-content\/uploads\/2022\/01\/siber-casusluk-hizini-kesmiyor-2.jpg\" alt=\"\" width=\"320\" height=\"226\" srcset=\"https:\/\/www.enerjigazetesi.ist\/wp-content\/uploads\/2022\/01\/siber-casusluk-hizini-kesmiyor-2.jpg 550w, https:\/\/www.enerjigazetesi.ist\/wp-content\/uploads\/2022\/01\/siber-casusluk-hizini-kesmiyor-2-300x212.jpg 300w, https:\/\/www.enerjigazetesi.ist\/wp-content\/uploads\/2022\/01\/siber-casusluk-hizini-kesmiyor-2-500x354.jpg 500w, https:\/\/www.enerjigazetesi.ist\/wp-content\/uploads\/2022\/01\/siber-casusluk-hizini-kesmiyor-2-71x50.jpg 71w\" sizes=\"(max-width: 320px) 100vw, 320px\" \/> leverage <strong>Windows malware<\/strong> derived from the group\u2019s signature\u00a0<strong>yty malware framework<\/strong>. According to our findings, the group is<strong> very persistent<\/strong> and has consistently targeted the same organizations for at least the <strong>last two years<\/strong>.<\/p>\n<p>In this blogpost, we document two variants of the malware used in recent <strong>campaigns \u2013 DarkMusical<\/strong> and <strong>Gedit<\/strong>. For each of the variants, we analyze the whole attack chain and provide insight into how the group updates its<strong> tools, tactics<\/strong>, and <strong>techniques.<\/strong><\/p>\n<p>Going as far as targeting embassies of these countries in other regions, such as the <strong>Middle East, Europe, North America, <\/strong>and<strong> Latin America,<\/strong> is also not outside <strong>Donot Team\u2019s realm.<\/strong><\/p>\n<h2>Try, try, try again<\/h2>\n<p>It\u2019s not a rarity for <strong>APT operators<\/strong> to attempt to regain access to a <strong>compromised network<\/strong> after they have been ejected from it. In some cases this is achieved through the deployment of a <strong>stealthier backdoor<\/strong> that remains quiet until<strong> the attackers need<\/strong> it; in other cases they simply restart their operation with new malware or a variant of <strong>the malware<\/strong> they used previously. The latter is the case with<strong> Donot Team operators<\/strong>, only that they are <strong>remarkably persistent<\/strong> in <strong>their attempts.<\/strong><\/p>\n<p>According to ESET telemetry, <strong>Donot Team<\/strong> has been consistently targeting the same entities with waves of spearphishing emails with malicious attachments every two to four months. Interestingly, emails we were able to retrieve and analyze did not show signs of spoofing. Some emails were sent from the same organizations that were being attacked. It\u2019s possible that the attackers may have compromised the email accounts of some of their victims in <strong>earlier campaigns<\/strong>, or the <strong>email server used<\/strong> by those organizations.<\/p>","protected":false},"excerpt":{"rendered":"<p>Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting organizations and individuals in South Asia with Windows and Android malware. A recent\u00a0report by Amnesty International\u00a0links the group\u2019s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":149658,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[51,53,157],"tags":[100284,24899,100288,100293,100292,100283,48150,93936,66022,93954,100285,100291,97189,19577,100290,100289,84198,65918,100286,100287,100294],"views":184,"_links":{"self":[{"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/posts\/149654"}],"collection":[{"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/comments?post=149654"}],"version-history":[{"count":5,"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/posts\/149654\/revisions"}],"predecessor-version":[{"id":149664,"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/posts\/149654\/revisions\/149664"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/media\/149658"}],"wp:attachment":[{"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/media?parent=149654"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/categories?post=149654"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.enerjigazetesi.ist\/en\/wp-json\/wp\/v2\/tags?post=149654"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}