External Threat Management Labs

An Indicator From Twitter Brings The Donot Android Espionage Group Back Into Focus

The Donot APT group (APT-C-35) is an espionage group that focuses its attacks on Pakistan and other South Asian government agencies. One of their hallmarks has been using customized malicious Android APKs to spy on their targets of interest and steal sensitive information. Not much has been released about the group recently, but a recent investigation by RiskIQ has uncovered large swaths of its existing and past mobile C2 infrastructure. These attackers are constantly redeveloping and redeploying tools even though their activity levels may appear to taper off.

Donot has kept mostly quiet for the past year with hardly any new open-source intelligence on them published by the security community. However, on May 31 and then again on June 1, two new malware samples linked to the group surfaced on Twitter. These samples were all RiskIQ needed to leverage our Internet Intelligence Graph to build an update around this well-known APT's most recent activity and malware distribution framework. 

Intelligence Graph Connections ‘Donot’ Lie

From just one malware sample, RiskIQ began an investigative journey that linked both historical and present infrastructure. We ultimately uncovered forty additional domains, thirty-three IP addresses, and fifty-seven related malware samples.

RiskIQ started our analysis with a closer look at one of Donot’s mobile malware distribution sites. After discovering some unique patterns in the HTML on the distribution site, we could link several other IP addresses to the group. This, in turn, led RiskIQ to determine several additional domains built upon further using our PDNS data. RiskIQ now had a handful of domains and IP addresses that we were confident related to Donot's Android operations.  RiskIQ received some additional confirmation after finding several of the indicators in an alert issued by the government of Pakistan.

The Infrastructure Chaining Continues

A title in the HTML source from our initial port scan appeared in two other IP addresses at the time. Four new domains, similarly structured to the others, resolved to these IPs. We then used the PassiveTotal API to build out resolutions for these two IP Addresses and four domains and identified several additional connected subdomains and IP addresses.

We confirmed that we were still following viable leads based on other known Donot Android malware samples, which communicated with these domains. 

Donot Gets Better at Evading Antivirus (AV)

RiskIQ found a more recent malware sample served from the newly-surfaced URLs. It appeared that Donot finally made some long-overdue code updates—the majority of previously plaintext strings were now Base64 encoded. However, the network callback was still stored visibly in plain-text interspersed among the various encoded encryption keys and other sensitive values. 

RiskIQ identified a handful of samples where the C2 information was encoded. In the full investigation, we included a Python script that should help you surface these with only slight modifications.

A Cookie Mini Adventure

RiskIQ uncovered a newer malware sample communicating with the domain newbulb.xyz. This domain is still active and currently resolving to The PassiveTotal platform captured an interesting cookie associated with the server response data that was highly unique and named "geopush_cookie." 

Based on this unique cookie value, RiskIQ assessed that another large batch of domains and IP addresses was connected to Donot's mobile operations with high confidence. Six of these were still active at the time of writing and can be identified with a Shodan query included in the full report. 

A Key Donot Tactic

Upon more in-depth inspection of the Android packages, most of them communicated to the domain www.geoip-db.com to grab geolocation information and the infected device's external IP address. This appears to be a relatively unique identifier, and only a small handful of malicious APKs use this technique instead of relying on other internal Android functions to retrieve the same information.

What's It Mean?

Similarities between campaigns are an observable behavior for threat analysts tracking them. Threat actors can reuse the same tactics, malware, and even infrastructure to achieve their objectives. It's important to bear that in mind when clustering activity sets together. Starting with the unique data sets in RiskIQ PassiveTotal built upon RiskIQ's Internet Intelligence Graph, analysts can quickly enumerate infrastructure related to seemingly disparate campaigns to paint a vivid picture of the threat landscape targeting their organization. 

To read the full report and explore the IOCs' comprehensive list, visit the Threat Intelligence Portal in RiskIQ PassiveTotal. Sign up with a corporate email address for a free month of enterprise access. 

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor