Skip to content
- Technique: Spearphishing Attachment (T1566.001)
- Procedure: DONOT APT used spearphishing emails with malicious attachments, likely exploiting Microsoft Office vulnerabilities (e.g., CVE-2017-11882) to deliver the initial payload. These emails were likely tailored to individuals working in Pakistan’s maritime and defense sector.
- Technique: Command and Scripting Interpreter: Windows Command Shell (T1059.003)
- Procedure: Upon successful exploitation of the vulnerability, the malicious attachment executes a Windows Command Shell command to launch the next stage of the attack.
- Technique: Scheduled Task/Job: Scheduled Task (T1053.005)
- Procedure: The malware creates a scheduled task named “Schedule” to execute the malicious DLL payload via
rundll32.exe every 5 minutes. This ensures the malware’s persistence on the compromised system.
- Technique: Application Layer Protocol: HTTP (T1071.001)
- Procedure: The malware communicates with its command-and-control (C2) server using HTTP for receiving commands and exfiltrating data.
- Technique: Exfiltration Over C2 Channel (T1041)
- Procedure: Sensitive data stolen from the victim’s system is likely exfiltrated to the attacker’s C2 server over the established HTTP communication channel.