Full Report
Take a look at Zimperium’s coverage against Android malware in Donot APT operations and extended indicators of compromise. The post Zimperium’s Coverage Against Android Malware in Donot APT Operations and Extended Indicators of Compromise appeared first on Zimperium.
Analysis Summary
# Threat Actor: Donot APT
## Attribution & Identity
Threat actor identified as the **Donot Advanced Persistent Threat (APT) group**. The information is based on a recent publication by CYFIRMA, with Zimperium providing extended indicators of compromise (IOCs).
## Activity Summary
Donot APT is currently engaged in a sophisticated **Android malware campaign**. This operation involves distributing spyware via malicious applications and domains to steal sensitive user information and gain unauthorized access to mobile devices. The campaigns exhibit a high degree of sophistication, utilizing custom-built malware and potentially abusing legitimate services to evade detection.
## Tactics, Techniques & Procedures
- Distribution of **malicious Android applications** used as droppers/loaders.
- Use of **malicious domains** for communication or distribution.
- Employment of **custom-built malware** (spyware).
- Techniques aimed at **avoiding detection** (e.g., exploitation of legitimate services).
- Capabilities include **stealing sensitive user information**.
- Gaining **unauthorized access** to devices.
## Targeting
- Sectors: **Not explicitly detailed in the summary, but inferred to include sectors where sensitive user data is present (e.g., general consumer base, possibly specific high-value sectors targeted by APTs).**
- Geography: **Not explicitly detailed in the summary.**
- Victims: **General entities affected by Android malware campaigns; specific organizations were not named in this summary context.**
## Tools & Infrastructure
- Malware families used: **Sophisticated Android spyware (specific malware names beyond "spyware" were not provided in this excerpt).**
- Infrastructure (C2, domains, IPs):
- Use of **malicious domains** for distribution/C2.
- Extended IOCs have been shared by the reporting parties, including samples available on the Zimperium Github repository (link truncated/not fully parsed for IOCs).
## Implications
Donot APT poses a significant threat via the mobile vector, specifically targeting Android devices with highly sophisticated, custom malware designed for comprehensive data exfiltration and device compromise. Their use of custom tools suggests potential long-term espionage objectives.
## Mitigations
- Employ **Mobile Threat Defense (MTD)** solutions capable of providing **zero-day protection** against novel Android malware samples.
- Implement measures to detect and block communication associated with **malicious domains**.
- Exercise caution regarding the installation of applications from untrusted sources.