APT-C-35 (Donot), also known as Donot, is an overseas APT organization originating from South Asia that primarily focuses on conducting cyber espionage activities against government organizations in Pakistan and surrounding countries in order to steal sensitive information. The organization’s attack activities can be traced back to 2016, and in recent years the organization has become more active and has continuously been tracked and disclosed by several domestic and foreign security teams.

Recently, 360 Advanced Threat Research Institute has repeatedly discovered APT-C-35 (Donot) organization’s attack activities during its daily threat hunting activities. In this round of attack operations, the organization continues to use macro documents as malicious carriers, releasing malicious payloads and executing them, loading remote control modules through multi-layer downloading, and achieving secret theft. Throughout the process, the malicious code is digitally signed with information.

  1. Attack Activity Analysis

The recent attack process of the organization is roughly as follows:

APT-C-35 (Donot) organization uses PPT or XLS documents as attack carriers. When the victim opens the malicious document, it immediately releases a compressed file and batch file and creates three scheduled tasks. Among them, the Tls_SSL task plan runs the batch file every 4 minutes, which mainly serves to unzip the released compressed file to obtain the malicious executable file comd.exe, and deletes the Tls_SSL plan task. The My_Drive schedule task runs comd.exe on a regular basis. Comd.exe is responsible for continuing to download the next stage of payloads and downloading a batch script as the startup item for the Pls_SSL schedule task, thereby starting the downloaded payload. The payload…

Once comd.exe is started, it checks for the presence of the payloads on the system. If the payloads are not present, it downloads them from a remote server and saves them to a specified location on the local system. This process is repeated on a regular basis to ensure that the most up-to-date version of the payload is available.

The batch script, which is downloaded as a startup item for the Pls_SSL schedule task, is used to execute the payload. This script contains instructions for executing the payload, such as setting environment variables, specifying the location of the payload files, and executing the payload itself.

It is important to note that the payloads and the batch script can be updated at any time by the attacker, so it is possible for the functionality of the payload to change at any time. This makes it difficult to detect and remove the malicious software once it is installed on a system.

In conclusion, the My_Drive schedule task and comd.exe play a critical role in the deployment and execution of the malicious payload on a system. To protect against these types of attacks, it is important to keep your software and security systems up to date, as well as to exercise caution when downloading and installing files from untrusted sources.