ESET researchers take a deep look into recent attacks carried out by Donot Team throughout 2020 and 2021, targeting government and military entities in several South Asian countries
Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting organizations and individuals in South Asia with Windows and Android malware. A recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region.
We have been closely following the activities of Donot Team, and have traced several campaigns that leverage Windows malware derived from the group’s signature yty malware framework. According to our findings, the group is very persistent and has consistently targeted the same organizations for at least the last two years.
In this blogpost, we document two variants of the malware used in recent campaigns – DarkMusical and Gedit. For each of the variants, we analyze the whole attack chain and provide insight into how the group updates its tools, tactics, and techniques.
The campaigns of Donot Team are motivated by espionage, using their signature malware: the “yty” malware framework, whose main purpose is to collect and exfiltrate data. According to our telemetry, Donot Team focuses on a small number of targets in South Asia – Bangladesh, Sri Lanka, Pakistan and Nepal – as seen in Figure 1.
These attacks are focused on:
- Government and military organizations
- Ministries of Foreign Affairs
Going as far as targeting embassies of these countries in other regions, such as the Middle East, Europe, North America, and Latin America, is also not outside Donot Team’s realm.
Try, try, try again
It’s not a rarity for APT operators to attempt to regain access to a compromised network after they have been ejected from it. In some cases this is achieved through the deployment of a stealthier backdoor that remains quiet until the attackers need it; in other cases they simply restart their operation with new malware or a variant of the malware they used previously. The latter is the case with Donot Team operators, only that they are remarkably persistent in their attempts.
According to ESET telemetry, Donot Team has been consistently targeting the same entities with waves of spearphishing emails with malicious attachments every two to four months. Interestingly, emails we were able to retrieve and analyze did not show signs of spoofing. Some emails were sent from the same organizations that were being attacked. It’s possible that the attackers may have compromised the email accounts of some of their victims in earlier campaigns, or the email server used by those organizations.
With spearphishing emails, the attackers use malicious Microsoft Office documents to deploy their malware. We have seen Donot Team using at least three techniques. One is macros in Word, Excel and PowerPoint documents, such as the example seen in Figure 2.
The second technique is RTF files with .doc extensions that exploit memory corruption vulnerability CVE‑2017‑11882 in Equation Editor, shown in Figure 3. These RTF documents also contain two embedded DLLs as OLE objects (see Figure 4) that are used to install and download further components (both DLLs are described in the Gedit section). This allows the attackers to execute shellcode and requires no user interaction. The shellcode deploys the main components of the malware.
The third technique is remote RTF template injection, which allows the attackers to have a payload downloaded from a remote server when the RTF document is opened. This is achieved by inserting a URL in the optional *template control word of the RTF file format, instead of the location of a local file resource. The payload that Donot Team uses is another document that exploits CVE-2017-11882 and is loaded automatically once it is downloaded. This is shown in Figure 5.
The yty malware framework
Discovered by NetScout in 2018, the yty malware framework is a less sophisticated and poorly developed successor to an older framework called EHDevel. The yty framework consists of a chain of downloaders that ultimately download a backdoor with minimal functionality, used to download and execute further components of Donot Team’s toolset.
These include file collectors based on file extension and year of creation, screen capturers, keyloggers, reverse shells, and more. As seen in Figure 6, components for exfiltration gather the collected intelligence from staging folders and upload every file to a designated server used only for this purpose.
Staging folder names and locations are changed with almost every new campaign, as well as some of the components’ filenames. However, there are cases in which the names of components have remained unchanged, for example: gedit.exe, wuaupdt.exe, lmpss.exe, disc.exe, among others. As seen in Figure 7, it seems that for every new campaign, in order to set new paths and filenames, these values must be changed in the source code and then recompiled, as none of these components use a configuration block or file.
The malware uses scheduled tasks for persistence, and alternates between DLL and EXE files between campaigns. In the case of DLLs, scheduled tasks execute rundll32.exe to load them and execute one of the exported functions.
The developers of the yty framework primarily rely on the C++ programming language. Likely in an attempt to evade detection, they have also ported their components to other languages such as VBScript, Python (packaged with PyInstaller), Visual C#, and AutoIt, among others. However, since 2019 we have only seen them leveraging components programmed in C++ (Figure 8) and Go (Figure 9).
The malware sometimes uses two or three servers during its deployment. It might use one server during its chain of downloaders and a different server that the backdoor contacts in order to receive its commands and download further components, or use the same server for both purposes. A different server is always used for the upload of collected information. In some attacks Donot Team has reused C&C domains from previous attacks – both for downloads and exfiltration. As seen in Figure 10, Figure 11 and Figure 12, these components – later described as a variant we track as DarkMusical – used in the same attack, employed three different C&C domains.
Timeline of attacks
Here we describe the malware variants used in recent Donot Team campaigns, with a focus on their Windows malware, starting from September 2020 until October 2021. For clarity, we have separated them into two variants of the yty malware framework: Gedit and DarkMusical, with one specific campaign using Gedit that we named Henos.
In Figure 13, we present a timeline, according to our telemetry, of the attacks. Also on our timeline we have included attacks from another variant, known as the “Jaca framework”. However, we will not describe it here as it has been described extensively in this report by CN-SEC.
According to ESET telemetry, the first wave of attacks where this variant was used occurred in June 2021, targeting military organizations in Bangladesh. We were only able to recover its chain of downloaders and its main backdoor. Given the small number of victims, we believe this might have been a highly targeted attack.
In September, a second wave of attacks that targeted military organizations in Nepal used new C&C servers and file and staging folder names. We were able to recover a number of components downloaded by the backdoor, so we have decided to describe these attacks instead.
Spearphishing emails were sent with PowerPoint documents containing a macro that deploys the first component of a chain of downloaders and persists using a scheduled task. When potential victims open these documents, they will be presented with a fake error message, as seen in Figure 14, and the documents will remain devoid of any visible content.
As seen in Figure 15, the chain of downloaders aims to download a final component that works as a backdoor with minimal functionality: it downloads standalone components, executes them using the ShellExecute Windows API, get and saves new C&C URLs.
The backdoor downloads the components that handle the collection and exfiltration of information to a dedicated server. These components do not communicate with the backdoor or the C&C to report on their activities – rather, they use a designated folder for the staging of the data, and a separate exfiltration component will collect everything and upload it.
We decided to call this campaign DarkMusical because of the names the attackers chose for their files and folders: many are western celebrities or characters in the movie High School Musical. Table 1 briefly describes the purpose of each of the components in the chain of compromise.
Table 1. Components in the DarkMusical campaign chain of compromise
|This executable is dropped by the malicious document to %public%Musicrihana.exe and persistence established via a scheduled task called musudt.
Downloads file to %public%Musicacrobat.dll and drops a BAT file to %public%Musicsidilieicaliei.bat.
The BAT file calls schtasks.exe to create the hmomci scheduled task to execute
|Downloads file and saves it as %public%Musicswift
Additionally, can issue a systeminfo.exe command whose output is redirected to %public%Musicjustin. The contents of the file are sent to its C&C server.
Drops and executes the file %public%Musicjanifer.bat that performs several tasks:
• Creates two scheduled tasks:
- sccmos to execute %public%MusicTroyforbidden.exe
- msoudatee that executes %public%MusicGabriellaremember.exe
• Moves the swift file into the Gabriella folder and renames it to remember.exe
• Attempts to delete acrobat.dll and rihana.exe
• Deletes the scheduled tasks named hmomci and musudt
• Deletes itself
|Downloads file to %public%MusicTroyforbidden.exe
|Uses the URL stored in %public%MusicTaylorflag file; if there is no URL, it uses its default URL.
Accepts three commands:
• Set URL in the flag file
• Execute file with ShellExecute Windows API
• Download file to %public%MusicTaylor
In Table 2 we describe the purpose of each component of the attacker’s toolset.
Table 2. Description of components in the attacker’s toolset for DarkMusical
|Takes screenshots, saves them to %public%MusicSymphony
|Three variants of nDExiD.exe
|Collects files created in 2021 and after, and copies them to the staging folder %public%MusicSymphony
Collects files by extension: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx
|Same as above, but files must have been created in 2020 or after.
|File collector that monitors insertion of USB drives and changes within the file system. Collects the same documents by extension as above, but also includes files with extensions: docm, mbox, pst
|Exfiltrates collected files.
Enumerates all files in %public%MusicSymphony and uploads those that match the extensions: doc, docx, eml, inp, jpeg, jpg, msg, odt, pdf, pps, ppsx, ppt, pptx, rtf, txt, xls, xlsx
We detected the first attacks of the campaign using Gedit in September 2020, against organizations in Pakistan that had already been targeted with spearphishing and malicious RTF documents that installed the Jaca framework. Since then, Donot Team moved on to focus on targets in Bangladesh, Nepal and Sri Lanka. The malware is clearly derived from the yty malware framework, but it is distinct enough to be separated from DarkMusical.
We were able to retrieve a spearphishing email corresponding to a Gedit campaign that occurred in February of 2021, which is shown in Figure 16. The first attachment contained a list of personnel from a military entity in Bangladesh (and no malicious content). The second attachment showed nothing but a blank page, while executing malicious code.
We can see that the size of the second file is greater than 2 MB. It is an RTF file that exploits CVE-2017-11882 to drop two DLL files contained in the document and execute one of them. Other components are downloaded to the compromised computer in various stages. An overview of this attack chain and its malware components is shown in Figure 17.
The components were coded in Go, and C++ (with MinGW and Visual Studio compilers). We have chosen to describe the components used in that campaign in February 2021, which are shown in Table 3.
Table 3. Description of components for Gedit variant
|Moves the file %TEMP%bcs01276.tmp to %USERPROFILE%Documentsmsdn022.dll
Creates a scheduled task MobUpdate to execute
|Downloads a file to %APPDATA%mscx01102 (later renamed to Winhlp.exe).
Writes and executes %APPDATA%test.bat, which:
|Downloads a file to %USERPROFILE%infboostOOOnprint.exe (if it doesn’t exist or its size is less than 50 kB).
|Sends a request to a server and depending on the reply, three actions can be performed:
• If qwertyuiop is in the reply headers, then a file is downloaded to
• If asdfghjklzx is in the reply headers, then it tries to execute
• If zxcvbnmlkjhgfd is in the reply headers, then it tries to execute
If a file
|Takes screenshots and saves them, in an infinite loop, to %USERPROFILE%RemoteDeskApps
|File collector. Iterates recursively through drives, logging interesting files to
Seeks files with the extensions: doc, docx, xls, xlsx, ppt, pps, pptx, ppsx, pdf, inp, msg, jpg, jpeg, png, txt
Excludes the following files/folders: ., .., nohiucf, Windows, Recent Places, Temfile, Program Files, Program Files (x86), ProgramData, Microsoft, Package Cache
This component runs in an infinite loop, iterating drives from C: to H:
|Sends collected files to a server. All files that are in %USERPROFILE%RemoteDeskApps are sent one by one, unencrypted. There is no check for extension, other than excluding . and ..
The victim identifier that was written to %USERPROFILE%Policyen-usFileswizard is appended to the URL. If the file doesn’t exist, then the default string HeloBSiamabcferss is used instead. User-agent is:
It creates a system event aaaaaaaaa to make sure that only one instance of the component is running at a time.
Finally, it is worth mentioning a wave of attacks that occurred between February and March 2021, targeting military organizations in Bangladesh and Sri Lanka. These attacks used the Gedit variant of the malware, but with some minor modifications. Therefore, we decided to name this campaign Henos in our timeline, after its backdoor DLL – henos.dll.
Samples belonging to components of this wave of attacks were also reported online in February, which probably explains why the group didn’t use the components again (see this tweet by Shadow Chaser Group researchers, for example).
Although we didn’t find the corresponding spearphishing emails or malicious documents, the attack chain is presumably the same as we described above, with some minor differences in how the components are executed. An overview of this is shown in Figure 18.
While some of the components of this campaign are named javatemp.exe and pytemp.exe, these filenames were probably only chosen in an attempt to mimic legitimate software such as Java or Python. While pytemp.exe and plaapas.exe were coded in the Go language, javatemp.exe was coded in C++ (compiled with MinGW).
One final note is that the component that performs exfiltration of files, pytemp.exe, performs a check to see if gedit.exe is running. If two or more instances are found, it exits. We believe this is a mistake by the programmers, as it should check for pytemp.exe instead. However, this simple mistake helps us tie the Henos campaign to the Gedit variant of the malware (added to code similarity).
Donot Team makes up for its low sophistication with tenacity. We expect that it will continue to push on regardless of its many setbacks. Only time will tell if the group evolves its current TTPs and malware.
For any inquiries, or to make sample submissions related to the subject, contact us at firstname.lastname@example.org.
Indicators of Compromise (IoCs)
A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.
Gedit – October 2021
|ESET detection name
Reverse shell server
Gedit – July 2021
|ESET detection name
Reverse shell servers
Gedit – February/March 2021
|ESET detection name
Reverse shell server
Gedit – September 2020
|ESET detection name
Reverse shell server
DarkMusical – September 2021
|ESET detection name
Reverse shell servers
DarkMusical – June 2021
|ESET detection name
Henos – February/March 2021
|ESET detection name
|Procurement Letter Feb 21.doc
MITRE ATT&CK techniques
This table was built using version 10 of the ATT&CK framework.
|Obtain Capabilities: Exploits
|Donot Team has used CVE‑2017-11882 exploits to run its first-stage malware.
|Phishing: Spearphishing Attachment
|Donot Team has sent spearphishing emails to its victims with malicious Word or PowerPoint attachments.
|User Execution: Malicious File
|Donot Team has lured its victims into opening malicious email attachments.
|Command and Scripting Interpreter: Visual Basic
|Donot Team has used macros contained in Power Point documents.
|Command and Scripting Interpreter: Windows Command Shell
|Donot Team has used reverse shells on the system to execute commands.
|Exploitation for Client Execution
|Donot Team has used CVE-2017-11882 exploits to execute code on the victim’s machine.
|Scheduled Task/Job: Scheduled Task
|Donot Team has created scheduled tasks for persistence of its malicious components.
|Masquerading: Match Legitimate Name or Location
|Donot Team has used filenames such as pytemp or javatemp to approximate the name of legitimate software.
|Donot Team has implemented checks for older versions of the malware running on the victim’s system.
|Donot Team has sent spearphishing emails to their victims that came from within the same targeted organization.
|Data from Local System
|Donot Team has used malicious modules that traverse the victim’s filesystem looking for files with various extensions.
|Data from Removable Media
|Donot Team has used a malicious module to copy files from removable drives.
|Data Staged: Local Data Staging
|Donot Team has staged files for exfiltration in a single location, a folder in the victim’s computer.
|Donot Team has used malicious modules to take screenshots from victims.
|Command and Control
|Application Layer Protocol: Web Protocols
|Donot Team has used HTTP/S for C&C communications and data exfiltration.
|Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
|Donot Team has used dedicated servers for exfiltration, sending the data over HTTP or HTTPS, unencrypted.