# Donot Team APT Group Is Back To Using Old Malicious Patterns **cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/** The Donot Team APT organization (APT-C-35) is an Advanced Persistent Threat (APT) group that targets organizations having a government background. The threat group is known to carry out APT attacks against Pakistan, China, and countries in South Asia. The group mainly uses malicious programs developed in C++, python, .net, and other languages. April 21, 2021 In addition to spreading malware via spear phishing emails with attachments containing either a vulnerability or a malicious macro, this group is particularly good at leveraging malicious Android APKs in their target attacks. These Android applications are often disguised as system tools and can be identified by scanning them through VirusTotal. In some cases, these applications may be disguised as fake apps, mobile games, and news apps. After installation, these apps perform the Trojan functions in the background. For instance, they may remotely control the victim’s system and steal confidential information from the targeted device. In a recent [tweet, a security researcher shared the digests leading to the app. Upon analysis of the digests, researchers at Cyble found](https://twitter.com/bl4ckh0l3z/status/1384062821034459138) all apps leading to the application package “com.update.gooqle”, a fake app disguised as a legitimate Google update application. For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the application by picking one [digest from among the links shared in the Tweet.](https://pastebin.com/raw/syZnsZkc) _Figure 1: Information from Cyblethreat intelligence platform_ Sample digest used for our analysis: be6ceeea0ca5df85c1788ae30cf0b7e6093aa543e3963a44b24139856ef083dd As shown in Fig.1, the name of the sample digest is visible as “com.update.gooqle”. It is important to note that the package name is spelled “gooqle” in an attempt to pass it off as ”Google”. Below are the file hashes for the above digest: ----- _Figure 2: Information on file hashes_ As shown in the figure below, the scan result of the analyzed digest from VirusTotal reveals the application to be “A Variant of Android/Spy.Agent.AGY”, which falls under spyware, a type of malware. _Figure 3:VirusTotalscan result_ On reviewing the static code of the digest, the malware is seen to support up to 20 remote control commands, including test operations. The remote-control commands include critical actions such as obtaining contact lists, text messages, call records, geographic locations, user files, and installed applications, etc. For these actions to be performed, the app requests the following sensitive permissions, as found in its manifest file. ----- _Figure 4: Sensitive permissions requested by the app_ In order to control the user’s mobile phone remotely, the malware obtains remote control command by reading a local database file. _Figure 5:Code used by app to get control instructions_ _Figure 6:Code used by app to get job details from the database_ Below are the suspicious permissions, services, and receivers found from the above application: ----- **e** **ss o s** android.permission.READ_CALENDAR android.permission.PROCESS_OUTGOING_CALLS android.permission.ACCESS_COARSE_LOCATION android.permission.INTERNET android.permission.ACCESS_FINE_LOCATION android.permission.SEND_SMS android.permission.READ_CALL_LOG com.android.browser.permission.READ_HISTORY_BOOKMARKS android.permission.WRITE_EXTERNAL_STORAGE android.permission.RECORD_AUDIO android.permission.CALL_PHONE android.permission.READ_PHONE_STATE android.permission.READ_SMS android.permission.RECEIVE_SMS android.permission.READ_CONTACTS **Services:** com.jgoogle.android.gservicekns.ten.ten com.jgoogle.android.gservicekns.nine.ninere com.evernote.android.job.v21.PlatformJobService com.evernote.android.job.v14.PlatformAlarmService com.evernote.android.job.v14.PlatformAlarmServiceExact com.evernote.android.job.gcm.PlatformGcmService com.evernote.android.job.Job RescheduleService **Receivers:** com.jgoogle.android.gservicekns.onere com.jgoogle.android.gservicekns.four.fourre com.jgoogle.android.gservicekns.five.fivere com.jgoogle.android.gservicekns.twenty.twenty com.jgoogle.android.gservicekns.seven.PhonecallReceiver com.jgoogle.android.gservicekns.eight.eightre com.evernote.android.job.v14.PlatformAlarmReceiver Com.evernote.android.job.JobBootReceiver Using the above permissions granted from users, the following data is fetched from the devices: 1. The app installs an application shortcut on the screen and removes its application launcher icon to stay hidden. _Figure 7: Code used to create app shortcut on the screen_ ----- _Figure 8: Code that checks packages and removes the application launcher_ 1. Queries the device phone number and monitors outgoing and incoming phone calls _Figure 9:Code that monitors outgoing and incoming phone calls_ 1. Creates SMS data from the protocol data unit (PDU) and monitors Incoming SMSes ----- _Figure 10:Code that monitors incoming text message_ 1. It also parses and Queries SMS data _Figure 11: Code that queries SMS data_ 1. Looks for the list of installed applications ----- _Figure 12: Gets the list of installed apps and stores it in text file_ 1. The app gets the history of calls logs and call list from the user’s device _Figure 13:Code that fetches and stores contact list and call logs in text file_ 1. Gets phone contact information and email messages from the victim device ----- _Figure 14: Code that saves phone contacts and email messages in text file_ 1. The app also accesses Android OS build fields to evade the malware analysis system _Figure 15:Code that gets Android build fields_ 1. Along with all the above details, the app also fetches the phone location used for geo-tracking to get the last known location. ----- _Figure 16:Code for location tracking_ All the data collected from the device is saved in the “corresponding text” file. In case of the old variant of this malicious file, these files are saved in the local file, while in the case of the new variant, the files are saved in the corresponding .json file and upload to the C2 link. _Figure 17: Information fetched from the user machine stored in text files_ [Upon further inspection of the Android package, we found that it communicates with the domain http://www.geoip-db.com to grab the](http://www.geoip-db.com/) [infected device’s geolocation information and external IP address. The URL https://www.geoip-db.com/json still works; however, the root of the](https://www.geoip-db.com/json) [domain is no longer operational and directs users to a new location: http://geolocation-db.com/.](http://geolocation-db.com/) ----- _Figure 18: Code that fetches the geolocation information_ **SafetyRecommendations:** 1. Use security software on smartphones. 2. It is recommended to download mobile applications only through reliable application markets and avoid downloading and installing through shared links. 3. Ensure the timely upgrading of the mobile phone operating system to reduce the possibility of attackers exploiting system vulnerabilities. 4. People concerned about the exposure of their stolen credentials in the darkweb can register at AmiBreached.com to ascertain their exposure. **MITRE ATT&CK® Techniques– for Mobile** **Tactic** **Technique** **ID** Defense Evasion [T1418](https://attack.mitre.org/techniques/T1418/) [T1406](https://attack.mitre.org/techniques/T1406/) **Technique Name** 1. Application discovery 2. Obfuscated files or information 1. Capture SMSes 2. Access stored application data 1. System network connections discovery 2. Location tracking 3. Application discovery 4. System information dis 1. Access contact list 2. Access call log 3. Location tracking 4. Capture audio 5. Network information discovery 6 Credential access [T1412](https://attack.mitre.org/techniques/T1412/) [T1409](https://attack.mitre.org/techniques/T1409/) Discovery [T1421](https://attack.mitre.org/techniques/T1421) [T1430](https://attack.mitre.org/techniques/T1430/) [T1418](https://attack.mitre.org/techniques/T1418/) [T1426](https://attack.mitre.org/techniques/T1426/) Collection [T1432](https://attack.mitre.org/techniques/T1432/) [T1433](https://attack.mitre.org/techniques/T1433/) [T1430](https://attack.mitre.org/techniques/T1430/) [T1429](https://attack.mitre.org/techniques/T1429/) [T1507](https://attack.mitre.org/techniques/T1507/) [T1412](https://attack.mitre.org/techniques/T1412/) [T1409](https://attack.mitre.org/techniques/T1409/) ----- Command and Control [T1573](https://attack.mitre.org/techniques/T1573/) [T1071](https://attack.mitre.org/techniques/T1071/) 1. Encrypted channel 2. Application layer protocol Impact [T1448](https://attack.mitre.org/techniques/T1448/) Carrier billing fraud **Indicators of Compromise (IoCs):** **IOC** **IOC Type** 288ea46d1e08fd9eca3369156b4430b1 MD5 Hashes be6ceeea0ca5df85c1788ae30cf0b7e6093aa543e3963a44b24139856ef083dd SHA256 android.accessibilityservice.AccessibilityService Intent by Action [https://www.geoip-db.com/json ](https://www.geoip-db.com/json ) Interesting URL 167.99.135.134 IP address /data/data/com.update.gooqle/files/accounts.txt File path dropped /data/data/com.update.gooqle/files/contacts.txt File path dropped /data/data/com.update.gooqle/files/CallLogs.txt File path dropped **About Cyble** [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in](https://cyble.com/) the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more [about Cyble, visit www.cyble.com.](http://www.cyble.com/) -----