CYFIRMA, a cybersecurity company, has detected a cyber attack on an individual in Kashmir, India, and has linked it to DoNot APT, a group that has a history of activity in the area. The perpetrator of the cyber attack seems to have used third-party file-sharing websites to distribute malware to the victim’s mobile device, which was saved in the main download folder.
The malware was disguised as chat apps, namely Ten Messenger.apk and Link Chat QQ.apk.
The recent attack aligns with DoNot APT’s modus operandi, as the group has previously targeted entities in the South Asian region. The threat actor has carried out cyber attacks in the region since 2016, using spear-phishing tactics against their adversaries in various industries and locations.
However, the motive behind the recent attack is unclear.
The malicious app’s Android Manifest file shows that the app attempts to acquire various permissions, including the ability to read and fetch call logs, contacts, and SMSs, explore and fetch data from the file manager, and delete and move files.
Additionally, it can track the live movement of mobile phones, extract emails and usernames used for login into various internet platforms, and delete numbers from call logs.
The group has been observed using the same tactics, techniques, and procedures (TTPs) for the past two years, which indicates a lack of innovation in their attacks.
They continuously focus on individuals in Kashmir, using relatively unsophisticated attack methods. The recent attack does not surprise the threat intelligence community, as the group has repeatedly targeted NGOs and other entities in Kashmir, India, Bangladesh, and Pakistan in the past.
