# Analysis of the Donot APT campaign ## Table of Contents * [Malware analysis](#Malware-analysis) + [86ccedaa93743e83787f53e09e376713.docx](#malware1) + [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](#malware2) + [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](#malware3) + [pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](#malware4) + [A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx](#malware5) * [Cyber Threat Intel](#Cyber-Threat-Intel) + [Opendir analysis](#opendir) * [Indicators Of Compromise (IOC)](#IOC) * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK) * [Links](#Links) + [Original Tweet](#Original-Tweet) + [Link Anyrun](#Links-Anyrun) + [Documents](#Documents) ## Malware analysis ### 86ccedaa93743e83787f53e09e376713.docx ###### The first sample of the campaign is a maldoc file using cve-2017-0199 (Template injection) for request and executed the next stage of the infection. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/InjTemp.PNG "") ###### This use RTF file with the cve-2018-0802 for execute embedded excel object by the CLSID of the Excel COM object. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/RTFInfo.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/CLSID.png "") ###### This extract and execute the zip archive from the RTF file. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/HexPK.PNG "") ###### On the backdoor, we can see that can push an environnement variable and create the "Mknyh" Mutex. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-EnvVar.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mutex.PNG "") ###### After perform this, this install the let's encrypt certificate and collect the informations about the system and send it in the C2. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos1.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos2.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Infos3.PNG "") ###### This collect the list of disks and the types of this. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Disk1.png "") ###### This can save and execute a stream from the C2. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod1.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/1/EFILE-Mod2.PNG "") ### d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc ###### The second samples use the same TTPs and use Template injection. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/Template.png "") ###### The RTF file download and executed drop the same backdoor. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/2/RTFInfo.png "") ### 01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx ###### The next sample use Template injection too for download and executed drop the RTF file. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Inj.PNG "") ###### The RTF file push a persistence with a LNK file, extract the backdoor and execute on another instance of explorer. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/RTFInfo.PNG "") ###### The backdoor use a timer for as anti-sandbox method and check the features. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Main.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Anti-sandbox.PNG "") ###### This push in memory the backdoor and check the system informations. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/VirtualProtect.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Infos.PNG "") ###### This have the capacity to hijack the AVAST AV, send the informations and request to the C2 for commands. This can save a file and execute it on the computer. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/Hijack.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/connect.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/3/WriteFile.PNG "") ### pk_17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc ###### This continue to use Template injection. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/inj.PNG "") ###### The RTF file dropped extract a js file, a dll and an exe file. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/rtfinfos.PNG "") ###### The js file execute the dll and the exe file for bypass the UAC by the UACme tool. The backdoor is the same that the first sample. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/js.PNG "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/4/UAC.PNG "") ### A1719.docx, INGOs Spending on Rohingyas.doc, Scan0012.docx ###### The TTPs is the same that the second sample for the last samples. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/5/Inj.png "") ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/5/RTFinfos.png "") ## Cyber Threat Intel ### Opendir analysis ###### We can note that the server are main hosted by DigitalOcean cloud provider. |IP|URL|Opendir|ASN|Organization|Route|Coordinates|Country| | :---------------: | :--------------- | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |:---------------: | |178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands| |178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands| |156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|AS47583|Hostinger International Limited|156.67.208.0/20|1.3667,103.8000|Singapore| |159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|AS14061|DigitalOcean, LLC|159.89.96.0/20|50.1155,8.6842|Germany| |157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|AS14061|DigitalOcean, LLC|157.230.208.0/20|40.8043,-74.0121|United States| |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands| |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands| ###### The group use multiple OS and Web Servers, this can be explained by two possible reasons. First, Donot can be multiple groups with differents levels of skills or the attacker have don't protect some servers due this used for weak interest targets. |IP|URL|Opendir|Webserver|OS| | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: | |178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|Apache|CentOS| |178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|Apache|CentOS| |156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|LiteSpeed|CentOS| |159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|Apache|CentOS| |157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|Nginx ?|Ubuntu ?| |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|Nginx|Ubuntu| |146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|Nginx|Ubuntu| ###### List of files on the opendir : |IP|URL|Files|Date (Last modified)|Size| | :---------------: | :---------------: | :---------------: | :---------------: |:---------------: | |178.62.188.63|hxxp[:]//en-content.com/SecurityM/|DFILE
DFILE-
EFILE
EFILE-
LIN|2019-08-30 12:46
2019-08-29 12:05
2019-08-30 12:49
2019-08-29 12:19
2019-08-30 12:49|1.1M
1.1M
685K
685K
685K| |178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/|DOCS
DOCSN
DOCSN-1
XLSS
XLSSN
XLSSN-1|2019-08-16 08:17
2019-08-27 07:03
2019-08-22 08:52
2019-08-16 08:26
2019-08-28 06:39
2019-08-22 08:59|1.1M
1.1M
1.7M
697K
685K
885K| ###### We can confirm that the campaign have begin early August 2019 and reuse old tools. ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/date.png "") ## Cyber kill chain ###### The process graph resume the cyber kill chain used by the attacker. ![alt text]() ## References MITRE ATT&CK Matrix ###### List of all the references with MITRE ATT&CK Matrix |Enterprise tactics|Technics used|Ref URL| | :---------------: |:-------------| :------------- | |||| |||| |||| ## Indicators Of Compromise (IOC) ###### List of all the Indicators Of Compromise (IOC) | Indicator | Description| | ------------- |:-------------:| ||| ||Domain requested| ||IP requested| ||HTTP/HTTPS requests|| ||IP C2| ||Domain C2| ###### This can be exported as JSON format [Export in JSON]() ## Links ###### Original tweet: [https://twitter.com/Timele9527/status/1173431630171492352](https://twitter.com/Timele9527/status/1173431630171492352) ###### Links Anyrun: ###### Samples : * [86ccedaa93743e83787f53e09e376713.docx](https://app.any.run/tasks/0df3deaf-e8e9-4b23-8b64-fed49b85811f) * [d2263c15dfcccfef16ecf1c1c9304064befddf49cdbbd40abd12513481d7faf7.doc](https://app.any.run/tasks/63251738-19fb-4155-ae23-0a8d4d780682) * [01d85719c5fec354431881f304307bb5521ecf6cb50eec4d3ec40d103dd3d3ae.docx](https://app.any.run/tasks/43bb63ce-4c78-4c1c-ae1d-a85b0106d983) * [17e3a134ee4bcb50a9f608409853628ac619fd24cffd8d15868cf96ce63bb775.doc](https://app.any.run/tasks/e194a69c-9e4e-4c7b-9e73-f6b144af95e1) * [A1719.docx](https://app.any.run/tasks/524aff0c-2f82-4f03-8ad0-16928adcf1f2) * [INGOs Spending on Rohingyas.doc](https://app.any.run/tasks/411a27d8-9b47-4f87-bd06-35d813ab1457) * [Scan0012.docx](https://app.any.run/tasks/f3397ba6-f8a0-46c5-b40f-f91bdfddc5db) ###### Opendir: * [SecurityM Opendir](https://app.any.run/tasks/793250a3-e767-47a8-9042-fce7c89a0471) * [ScanSecurity Opendir](https://app.any.run/tasks/ae0325de-4aa2-40f0-8b17-1ca540cf2b9f) ###### Documents: * [UACme](https://github.com/hfiref0x/UACME)