Attack On Maritime & Defense Manufacturing

Nov. 18, 2024, 9:03 p.m.

Description

The DONOT APT group has launched a campaign targeting Pakistan's manufacturing industry supporting maritime and defense sectors. The attack uses a malicious LNK file disguised as an RTF, which executes PowerShell commands to deliver a lure document and stager malware. The malware establishes persistence through scheduled tasks, communicates with command and control servers using encrypted methods, and can download additional payloads. The campaign shows evolution in tactics, including improved encryption and payload delivery methods. The attackers collect detailed system information from victims and can self-delete if instructed. This operation demonstrates the increasing sophistication of APT campaigns and the need for enhanced cybersecurity measures.

External References

https://cyble.com/blog/donots-attack-on-maritime-defense-manufacturing/
https://otx.alienvault.com/pulse/6737948b34c7939db41430f1
Tags
apt
powershell
pakistan
persistence
encryption
defense
lnk file
maritime
2024-11-15
stager
manufacturing

Date

  • Created: Nov. 15, 2024, 6:35 p.m.
  • Published: Nov. 15, 2024, 6:35 p.m.
  • Modified: Nov. 18, 2024, 9:03 p.m.

Attack Patterns

  • DONOT
  • T1053.005
  • T1218.011
  • T1059.003
  • T1059.001
  • T1071.001
  • T1070.004
  • T1105
  • T1027
  • T1041
  • T1566

Additional Informations

  • Defense
  • Manufacturing
  • Pakistan