DONOT APT’s Attack on Maritime & Defense Manufacturing

  • Technique: Spearphishing Attachment (T1566.001)
  • Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
  • Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
  • Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
  • Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
  • Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via rundll32.exe every 5 minutes. This ensures the malware’s persistence on the compromised system.
  • Technique: Application Layer Protocol: HTTP (T1071.001)
  • Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
  • Technique: Exfiltration Over C2 Channel (T1041)
  • Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.

Subject: DONOT APT’s Attack on Maritime & Defense Manufacturing

Tactics: TA0011 Command and Control, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access, TA0003 Persistence

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1041 Exfiltration Over C2 Channel, T1566.001 Phishing: Spearphishing Attachment, T1053.005 Scheduled Task/Job: Scheduled Task

Procedure:

  • Technique: Spearphishing Attachment (T1566.001)
  • Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
  • Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
  • Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
  • Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
  • Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via rundll32.exe every 5 minutes. This ensures the malware’s persistence on the compromised system.
  • Technique: Application Layer Protocol: HTTP (T1071.001)
  • Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
  • Technique: Exfiltration Over C2 Channel (T1041)
  • Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time.

Engagement Opportunity:

  • Initial Access: Implement email security solutions to detect and block spearphishing emails, and conduct regular security awareness training for employees to recognize and avoid suspicious emails and attachments.
  • Execution: Employ application whitelisting to prevent the execution of unauthorized scripts and executables.
  • Persistence: Deploy endpoint detection and response (EDR) solutions to monitor for and block the creation of suspicious scheduled tasks.
  • Command and Control & Exfiltration: Monitor network traffic for unusual outbound connections, particularly to known malicious IP addresses or domains. Implement a web proxy to inspect and filter network traffic, potentially identifying and blocking C2 communications.

Threat Actor: DONOT APT (APT-C-35)

Threat Objective:

Espionage and the theft of intellectual property related to maritime and defense technologies.

Deception Opportunity:

Deception Opportunity:

  • Honeypots: Set up decoy network shares or servers mimicking those used in the maritime and defense sector to attract and trap the attackers.
  • Decoy Documents: Plant decoy documents containing fabricated but plausible technical specifications or project plans related to maritime and defense projects to mislead the attackers and gather intelligence on their interests and data exfiltration methods.
  • Fake Credentials: Create fake user accounts with access to decoy systems and data to lure attackers and observe their activities.

Sensor Data Placement: User-Mode

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

The scoring will vary depending on the specific observable being analyzed. Here are a few examples:

  • Spearphishing Attachment:

    • Sensor Data Placement: Application (Email client)
    • Observable Level: Core to Adversary-Brought Tool (Specific characteristics of the malicious attachment)
    • Scoring Rationale: The attachment itself is specific to this campaign but may be reused in future attacks.

  • Scheduled Task Creation:

    • Sensor Data Placement: User-Mode (System logs)
    • Observable Level: Core to Some Implementations of (Sub-)Technique (Specific parameters used in the scheduled task)
    • Scoring Rationale: The specific parameters used by DONOT APT (e.g., executing a DLL with rundll32.exe, frequency of execution) make this observable relatively specific to this particular implementation of the technique.

  • C2 Communication:

    • Sensor Data Placement: Network (Firewall, IDS/IPS)
    • Observable Level: Core to Adversary-Brought Tool (C2 infrastructure)
    • Scoring Rationale: The C2 infrastructure is specific to the attacker but can change over time.

Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://cyble.com/blog/donots-attack-on-maritime-defense-manufacturing/

Link to Report II.:

Additional Comments:

Analyzing the full attack chain provides a comprehensive understanding of DONOT APT’s tactics and techniques. By implementing a multi-layered defense strategy and utilizing deception techniques, organizations can effectively mitigate the risk posed by this sophisticated threat actor.

Possible elements: Embedded Honeytokens, Log Files Decoy

MSG (Pseudocode):

Leave a Reply