Kaspersky Lab Reveals Activities of Donot Team Group
Kaspersky Laboratory experts have uncovered the activities of the Donot Team group, including the use of a new .NET-based backdoor called Firebird. This backdoor has only affected a small number of victims in Pakistan and Afghanistan (source).
During their investigation, security researchers also discovered a bootloader called CSVTYRII that was part of the attack chain. It was found that some code in the samples was non-functional, indicating that the bootloader is still in the development stage.
According to experts, the CSVTYRII bootloader appears to be an updated version of VTYREL (Breezesugar), a bootloader previously used by the RTY 1 framework group. This group is known as the successor to the YTY Framwar. YTY allows attackers to extract various information from the victim’s device, such as files with specific extensions, intercepted input lines, a list of processes, and screenshots.
The Donot Team, also known as Apt-C-35, Origami Elephant, and SecTOR02, allegedly originates from India and has been active since 2016. The group employs specialized phishing emails and fake Android applications to propagate malware. In October 2021, Amnesty International, a human rights organization, uncovered certificates linking the group’s infrastructure to Indian ib companies.