A new hacker collective, known as the APT group DONOT, has targeted critical sectors of Pakistan’s economy, specifically the maritime and defense manufacturing industries. By leveraging advanced malware and targeted social engineering strategies, the DONOT hacker group has successfully compromised sensitive infrastructure.
As per reports by Cyble Research and Intelligence Labs (CRIL), the APT group DONOT, also known as APT-C-35, has been active since 2016 and is primarily recognized for its persistent cyber espionage activities. Historically, this hacker group has focused on government agencies, military entities, and diplomatic missions, with particular emphasis on countries in South Asia.
Its operations are characterized by a high degree of stealth, using sophisticated malware and custom-built tools to infiltrate target networks.
The Rise of APT Group DONOT
The DONOT hacker group has previously attacked organizations by exploiting vulnerabilities in government and military systems, often using phishing emails and malicious attachments as initial infection vectors. This time, however, their focus has shifted to Pakistan’s critical manufacturing sectors, which support the country’s maritime and defense industries. Given the sensitive nature of these sectors, the attack has profound implications for both economic stability and national security.
The recent cyberattack, which Cyble researchers first identified in a report, centers on a campaign targeting the manufacturing facilities that supply equipment for Pakistan’s defense and maritime sectors. This targeted approach suggests that the DONOT hacker group is not just interested in gaining general access to systems, but rather in obtaining specific industrial and military intelligence.
The initial infection vector in this campaign was a malicious LNK (shortcut) file, which was sent in a spam email disguised as a legitimate Rich Text Format (RTF) document. This LNK file was designed to appear as though it contained encrypted data, enticing the victim to open it. Once clicked, the file triggered several PowerShell commands that downloaded additional malware, including a DLL file that acted as a “stager” for further exploits.
Upon execution, the malicious LNK file activated a series of commands that used PowerShell scripts to download and decrypt further payloads. These payloads were then deployed onto the compromised system, establishing a foothold that allowed the malware to persist on the infected machine. To maintain access to the network, the malware scheduled a task to execute the payload every five minutes.
Advanced Malware and Persistence Mechanisms
The malware employed by the DONOT hacker group in this attack is highly advanced, utilizing multiple encryption techniques to avoid detection by traditional security systems. The group introduced a new method of Command and Control (C&C) server communication. The malware uses AES encryption and Base64 encoding to obfuscate its communications, making it more difficult for security software to identify malicious activity.
Once the malware established its presence, it initiated a POST request to the primary C&C server, transmitting a unique device ID to authenticate the compromised machine. If the C&C server responded positively, the malware would download further payloads, configure the system for persistence, and prepare for additional stages of the attack.
In addition to encrypting communication between the victim machine and the C&C server, the hacker group DONOT also employed random domain generation for backup C&C servers. This strategy ensures that, even if the primary server is taken down, the malware can continue to operate through secondary, dynamically generated domains.
Technical Analysis: How the Attack Unfolded
The malicious process begins with the execution of a PowerShell script hidden inside the LNK file. This script decrypts both the lure RTF file and the DLL payload using a simple XOR operation. The files are then extracted to the victim’s temporary directory. Following extraction, the malware deletes the PowerShell script and opens the lure document to further entice the victim.
The lure document itself was linked to Karachi Shipyard & Engineering Works (KS&EW), a prominent Pakistani defense contractor. This suggests that the attacker’s primary objective was to infiltrate the defense sector by exploiting industry-specific targets.
Once the DLL is executed, it initiates a process that extracts critical configuration data, including server addresses, encryption keys, and other task parameters, from an embedded JSON file. The malware then uses this information to communicate securely with the C&C server, requesting further instructions on how to proceed with the attack.
The stager malware also checks for the existence of a scheduled task named “Schedule.” If this task is absent, the malware creates it, ensuring that the malicious DLL is executed every five minutes, thereby maintaining persistence on the compromised system. This tactic is part of a broader strategy to ensure the malware continues to run undetected for as long as possible.
Random Domain Generation for Backup C&C Servers
A particularly notable feature of this attack is the use of random domain generation. The DONOT hacker group has taken extra precautions to avoid detection by generating backup domains for its C&C servers. These domains are created by concatenating words from a hardcoded array of values, followed by the selection of a random top-level domain (TLD). This dynamic method of domain generation makes it harder for cybersecurity teams to shut down the C&C infrastructure, even if some of the domains are blacklisted.
The configuration file also includes fallback server URLs that are periodically updated in response to changes in the primary C&C server’s status. This flexibility ensures that the hacker group can maintain control over compromised systems, regardless of disruptions to their communication infrastructure.
New Encryption Methods and Payload Delivery
In this campaign, the DONOT hacker group introduced a more sophisticated approach to payload delivery. Unlike previous campaigns where the decryption key was hardcoded into the configuration file, this time, the decryption key was embedded within the binary itself, making it harder for analysts to detect.
The malware’s ability to download, decrypt, and execute additional payloads represents a more advanced and nuanced approach to cyber espionage. Once the payload is successfully decrypted, the malware creates a scheduled task to execute the final payload, which could range from data exfiltration tools to additional malicious code capable of causing long-term damage to the compromised systems.
The recent cyberattack by the DONOT APT group marks a significant escalation in their tactics, using advanced methods like PowerShell exploitation, dynamic domain generation, and enhanced encryption to evade detection. This attack, targeting Pakistan’s sensitive maritime and defense sectors, highlights the growing threat posed by such sophisticated groups.
To counter this, organizations must strengthen cybersecurity defenses by deploying robust endpoint detection, conducting regular audits, and training employees to recognize phishing attempts. Proactive threat hunting and a clear incident response plan are essential to defending against future attacks. Vigilance and preparedness remain critical in mitigating the risks from advanced persistent threats like DONOT.
