Donot Team APT Group Is Back To Using Old Malicious Patterns

The Donot Team APT organization (APT-C-35) is an Advanced Persistent Threat (APT) group that targets organizations having a government background. The threat group is known to carry out APT attacks against Pakistan, China, and countries in South Asia. The group mainly uses malicious programs developed in C++, python, .net, and other languages. 

In addition to spreading malware via spear phishing emails with attachments containing either a vulnerability or a malicious macro, this group is particularly good at leveraging malicious Android APKs in their target attacks. These Android applications are often disguised as system tools and can be identified by scanning them through VirusTotal. In some cases, these applications may be disguised as fake apps, mobile games, and news apps. After installation, these apps perform the Trojan functions in the background. For instance, they may remotely control the victim’s system and steal confidential information from the targeted device. 

In a recent tweet, a security researcher shared the digests leading to the app. Upon analysis of the digests, researchers at Cyble found all apps leading to the application package “com.update.gooqle”, a fake app disguised as a legitimate Google update application. For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the application by picking one digest from among the links shared in the Tweet. 

Figure 1: Information from Cyble threat intelligence platform 

Sample digest used for our analysis: be6ceeea0ca5df85c1788ae30cf0b7e6093aa543e3963a44b24139856ef083dd 

As shown in Fig.1, the name of the sample digest is visible as “com.update.gooqle”. It is important to note that the package name is spelled “gooqle” in an attempt to pass it off as ”Google”. 

Below are the file hashes for the above digest: 

Figure 2: Information on file hashes 

As shown in the figure below, the scan result of the analyzed digest from VirusTotal reveals the application to be “A Variant of Android/Spy.Agent.AGY”, which falls under spyware, a type of malware. 

Figure 3: VirusTotal scan result 

On reviewing the static code of the digest, the malware is seen to support up to 20 remote control commands, including test operations. The remote-control commands include critical actions such as obtaining contact lists, text messages, call records, geographic locations, user files, and installed applications, etc. For these actions to be performed, the app requests the following sensitive permissions, as found in its manifest file.  

Figure 4: Sensitive permissions requested by the app 

In order to control the user’s mobile phone remotely, the malware obtains remote control command by reading a local database file. 

Figure 5: Code used by app to get control instructions 

Figure 6: Code used by app to get job details from the database 

Below are the suspicious permissions, services, and receivers found from the above application: 

Permissions: 

  • android.permission.READ_CALENDAR  
  • android.permission.PROCESS_OUTGOING_CALLS  
  • android.permission.ACCESS_COARSE_LOCATION  
  • android.permission.INTERNET  
  • android.permission.ACCESS_FINE_LOCATION  
  • android.permission.SEND_SMS  
  • android.permission.READ_CALL_LOG 
  • com.android.browser.permission.READ_HISTORY_BOOKMARKS  
  • android.permission.WRITE_EXTERNAL_STORAGE  
  • android.permission.RECORD_AUDIO  
  • android.permission.CALL_PHONE  
  • android.permission.READ_PHONE_STATE  
  • android.permission.READ_SMS  
  • android.permission.RECEIVE_SMS  
  • android.permission.READ_CONTACTS 

Services: 

  • com.jgoogle.android.gservicekns.ten.ten  
  • com.jgoogle.android.gservicekns.nine.ninere  
  • com.evernote.android.job.v21.PlatformJobService  
  • com.evernote.android.job.v14.PlatformAlarmService  
  • com.evernote.android.job.v14.PlatformAlarmServiceExact  
  • com.evernote.android.job.gcm.PlatformGcmService 
  • com.evernote.android.job.Job RescheduleService 

Receivers: 

  • com.jgoogle.android.gservicekns.onere  
  • com.jgoogle.android.gservicekns.four.fourre  
  • com.jgoogle.android.gservicekns.five.fivere  
  • com.jgoogle.android.gservicekns.twenty.twenty  
  • com.jgoogle.android.gservicekns.seven.PhonecallReceiver  
  • com.jgoogle.android.gservicekns.eight.eightre  
  • com.evernote.android.job.v14.PlatformAlarmReceiver 
  • Com.evernote.android.job.JobBootReceiver 

Using the above permissions granted from users, the following data is fetched from the devices: 

  1. The app installs an application shortcut on the screen and removes its application launcher icon to stay hidden.  

Figure 7: Code used to create app shortcut on the screen 

Figure 8Code that checks packages and removes the application launcher 

  1. Queries the device phone number and monitors outgoing and incoming phone calls 

Figure 9: Code that monitors outgoing and incoming phone calls 

  1. Creates SMS data from the protocol data unit (PDU) and monitors Incoming SMSes  

Figure 10: Code that monitors incoming text message 

  1. It also parses and Queries SMS data 

Figure 11Code that queries SMS data 

  1. Looks for the list of installed applications 

Figure 12Gets the list of installed apps and stores it in text file  

  1. The app gets the history of calls logs and call list from the user’s device 

Figure 13: Code that fetches and stores contact list and call logs in text file 

  1. Gets phone contact information and email messages from the victim device 

Figure 14Code that saves phone contacts and email messages in text file 

  1. The app also accesses Android OS build fields to evade the malware analysis system 

Figure 15: Code that gets Android build fields 

  1. Along with all the above details, the app also fetches the phone location used for geo-tracking to get the last known location. 

Figure 16: Code for location tracking 

All the data collected from the device is saved in the “corresponding text” file. In case of the old variant of this malicious filethese files are saved in the local file, while in the case of the new variant, the files are saved in the corresponding .json file and upload to the C2 link. 

Figure 17: Information fetched from the user machine stored in text files 

Upon further inspection of the Android package, we found that it communicates with the domain http://www.geoip-db.com to grab the infected device’s geolocation information and external IP address. The URL https://www.geoip-db.com/json still works; however, the root of the domain is no longer operational and directs users to a new location: http://geolocation-db.com/

Figure 18Code that fetches the geolocation information 

Safety Recommendations: 

1. Use security software on smartphones. 

2. It is recommended to download mobile applications only through reliable application markets and avoid downloading and installing through shared links. 

3. Ensure the timely upgrading of the mobile phone operating system to reduce the possibility of attackers exploiting system vulnerabilities. 

4. People concerned about the exposure of their stolen credentials in the darkweb can register at AmiBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques– for Mobile 

Tactic Technique ID Technique Name 
Defense Evasion T1418 
T1406 
1. Application discovery 2. Obfuscated files or information  
Credential access T1412 
T1409 
1. Capture SMSes 2. Access stored application data  
Discovery T1421 
T1430 
T1418 
T1426 
1. System network connections discovery 2. Location tracking 3. Application discovery 4. System information discovery 
Collection T1432 
T1433 
T1430 
T1429 
T1507 
T1412 
T1409  
1. Access contact list 2. Access call log 3. Location tracking 4. Capture audio 5. Network information discovery 6. Capture SMSes  7. Access stored application data 
Command and Control T1573 
T1071 
1. Encrypted channel 2. Application layer protocol 
Impact T1448 Carrier billing fraud 

Indicators of Compromise (IoCs): 

IOC  IOC Type  
288ea46d1e08fd9eca3369156b4430b1 MD5 Hashes   
be6ceeea0ca5df85c1788ae30cf0b7e6093aa543e3963a44b24139856ef083dd SHA256   
android.accessibilityservice.AccessibilityService Intent by Action 
https://www.geoip-db.com/json Interesting URL 
167.99.135.134 IP address 
/data/data/com.update.gooqle/files/accounts.txt File path dropped 
/data/data/com.update.gooqle/files/contacts.txt File path dropped 
/data/data/com.update.gooqle/files/CallLogs.txt File path dropped 

About Cyble

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Leave a Comment

Your email address will not be published.

%d bloggers like this: