Arbor Networks Threat Intelligence

Donot Team Leverages New Modular Malware Framework in South Asia

Authors: Dennis Schwarz and Jill Sopko

Special thanks to Richard Hummel and Hardik Modi for their contributions on this post.

Figure 1: Pakistan themed decoy document

Key Findings


In late January 2018, ASERT discovered a new modular malware framework we call “yty”. The framework shares a striking resemblance to the EHDevel framework. We believe with medium confidence that a team we call internally as “Donot Team” is responsible for the new malware and will resume targeting of South Asia.

In a likely effort to disguise the malware and its operations, the authors coded several references into the malware for football—it is unclear whether they mean American football or soccer. The theme may allow the network traffic to fly under the radar.

While we believe this framework and its components are new, it shares many Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) with the EHDevel malware framework. In September 2017, Bitdefender released a white paper describing EHDevel and some of the campaigns that used it. Some of the highlights of it included the following:

We assess with medium confidence that the yty framework is a replacement for the EHDevel framework and that the Donot Team may start using it in campaigns in a similar manner as EHDevel.

The evolution from EHDevel to yty shows the threat actors are continually improving and modifying their malware framework, adding to their sophistication.

Campaign Analysis

Donot Team campaigns use multiple methods to mimic legitimate applications, organizations, and services like Adobe, Gmail or news outlets. They also including seemingly benign domains that likely raise minimal suspicion to a human observer. The following domains are a few examples:

The actors use false personas to register their domains instead of opting for privacy protection services.  Depending on the registrar service chosen, this could be seen as another cost control measure.  The actors often used typo-squatting to slightly alter a legitimate domain name. In contrast, the registration information used accurate spelling, possibly indicating the domain naming was intentional, typos included. Each unique registrant usually registered only a few domains, but mistakenly reused phone numbers or the registration data portrayed a similar pattern across domains. Looking at shared IP infrastructure, it was easy to see the registration patterns and expand the network used by the attackers.

The Donot Team relies heavily on subdomains.  Nearly every domain discovered through the course of this investigation had multiple, unique subdomains and every malware sample analyzed communicated to subdomains.  In at least two instances, the domain never resolved to an IP address. Instead, the malware used subdomains, which lead to active infrastructure.

Many of the sub-domains only navigated to the third level, but other samples used overly complex subdomain structures down to the sixth or seventh level.

Looking at registration patterns and passive DNS, many of these domains resolve for as little as three days before going offline. It is possible the attackers use these small windows to test their malware operations.

Although we did not observe the original distribution of the core binary, we believe the group specifically targeted Pakistani individuals based on the decoy documents observed.  They appeared to be official Government of Pakistan memos, see Figure 1, above.


Donot Team’s TTPs, infrastructure, and the malware code are strikingly similar to the EHDevel malware reported by BitDefender and is likely the same group of operators.  Bitdefender noted that the EHDevel malware appeared similar to malware analyzed by Blue Coat Labs in their report “Snake in the Grass”.  The “Snake in the Grass” report also showed malware similarities and infrastructure overlap with Operation Hangover (also known as the Patchwork Group).  While Arbor agrees that there are suspicious similarities between the Donot Team and Patchwork, we did not uncover definitive evidence to link the two groups. Additionally, a malicious document associated with yty was tagged by Hybrid Analysis as “Viceroy Tiger”, but there hasn’t been much recent public information on this group that we could find to corroborate.

yty Malware Framework Analysis

One of the TTPs associated with the Donot Team is the use of modular/plugin-based malware frameworks. We call the new malware framework “yty” (based on debugging strings in its components). The components of the framework are shown in Figure 2:

Figure 2: yty malware components.

Circular.xls Analysis

The first piece of the framework is a malicious Excel document named “Cirular.xls” (9ce56e1403469fc74c8ff61dde4e83ad72597c66ce07bbae12fa70183687b32d). The content of the spreadsheet is an executable that is extracted and executed by macros, Figure 3.

Figure 3: Circular.xls macro script

The delivery mechanism for the XLS file is unknown, but evidence suggests it could be a test document as seen in Figure 4:

Figure 4: XLS document properties

.exe (Downloader 1) Analysis

SHA256: 8d7eb0b7251bc4a40ebc9142a59ed8af16fb11cf8168e76dca48a78d6d7e4595

Compilation Date: 2018-02-05 09:06:13

PDB Path: C:\Users\donot\Documents\Visual Studio 2010\Projects\downloader\Debug\downloader.pdb

Due to a bug in the macro code, the extracted executable is saved as “.exe”. This is a stripped down C++ program that, as its PDB path string indicates, downloads and executes another executable, then removes itself. The downloader attempts to retrieve and execute the following file (not active at the time of research):

Setup.exe (Downloader 2) Analysis

SHA256: 6bbd10ac20782542f40f78471c30c52f0619b91639840e60831dd665f9396365

Compilation Date: 2018-01-04 09:43:28

PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\Setup.pdb

Setup.exe is another downloader written in C++ but contains more functionality than the “.exe” downloader. First, it checks/creates a mutex named “toptwo” so that only one copy of itself is running on the victim.

Evasion Techniques

To confuse malware analysts, it mixes in junk code as seen in Figure 5.

Figure 5: Junk code contained in binary.

It also has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware (example in Figure 6):

Figure 6: VMWare check.

Debugging Code

Similar to some components in the EHDevel framework, it creates logs for debugging purposes, though the messages are not as verbose as in EHDevel’s samples, Figure 7.

Figure 7: Debugging log

Command & Control

Much like EHDevel, in order to get its C2 host, it downloads a file from Google Docs. The document in this case was located at:

At the time of research, the name of the document was “ip2.txt” and it contained the following IP address:

Per its metadata, the owner of the document is:

An example C2 beacon is show in Figure 8:

Figure 8: C2 beacon

Based on the “/football/goal”, “score”, “ball”, and “loose” strings they are using a football theme to help disguise its traffic. The POST data contains:

At the time of analysis, we only elicited a “loose” response from the C2 server. Continued execution is reliant on eliciting a “win” response. If a “win” response does not occur, the malware continues beaconing until it receives the appropriate response. Once the correct response is seen, the malware downloads the next component from the same C2 using the following URL path:

Persistence Mechanism

A secondary macro in circular.xls establishes persistence for the setup.exe download as seen in Figure 9.

Figure 9: Persistence mechanism

Unique Strings

Setup.exe introduces three common names seen in the rest of the malware framework:

boothelp.exe – Plugin Downloader

SHA256: a2e9d9a00e7e75ab1d5e96dd327a89b55608a0319461f2866aadada5bd50e728

Compilation Date: 2018-01-03 09:42:00

PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\boothelp.pdb

Another TTP used by the Donot Team is the transition from one programming language to another.  We see this with boothelp.exe, which is written in .NET–instead of C++ like the other components. boothelp.exe is a downloader responsible for retrieving modules/plugins that contain added functionality.

The plugin downloader uses the same C2 channels as setup.exe by downloading a Google Doc file which contains the C2 IP address. It then continues the football theme by beaconing to the “/football/flag” folder on the C2 server, Figure 10.

Figure 10: C2 communications to retrieve modules

Using an HTML <div> element labeled “pcinfo”—possibly displayed verbatim in the C2 panel—the malware beacon message contains various pieces of system information outlined below:

The response from the C2 is an odd string containing multiple pieces, delimited by various characters, but boils down to what plugins to download/run and their file sizes. The plugins for this framework were downloaded from the same URI path (“/football/download/2/”) where boothelp.exe was located. As of February 2018, we observed the following plugins:

These modules share functionality with components of the EHDevel framework, creating further overlap between the two malware frameworks. boothelp.exe has an interesting but unused function that takes a list of benign URLs and opens connections to them. As noted previously, we believe the actors are still testing the malware framework and it’s possible these URLs will become an anti-analysis feature to hide C2 communication among benign traffic. Some of the interesting benign URLs listed below:

vstservice.exe – File Listing Plugin

SHA256: e3fb0ab2f3d11f12c11b3ee1e1781eaec5581def820afe7e01902f31ba9e1936

Compilation Date: 2018-01-03 08:14:32

PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\vstservice.pdb

The vstservice.exe plugin is .NET file responsible for sending a list of the file system to the C2. The malware retrieves the C2 from a Google Docs file like the previous binaries. The file was located at the following location:

At the time of research, the Google Doc was named “domain.txt” and contained the following C2 host:

Per its metadata, it is owned by the same owner as the document above.

The plugin sends two file listings. The first one focuses on files with the following extensions:

The second one contains all other files. An example is shown in Figure 11.

Figure 11: C2 file list name exfiltration

The URL path for this C2 references the “bigdata” string observed in the macro persistence mechanism. Some of the POST parameters are unclear, but contain the following items:

Similar to the plugin downloader, this plugin includes an unused function that connects to benign URLs. Some of the URLs are listed below:

abode.exe – File Exfiltration Plugin

SHA256: 4d0114b1292714a13d43a4c0de3ea4498fa752354ad4f5b73a8ba441af6064ae

Compilation Date: 2018-01-03 08:14:46

PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\abode.pdb

abode.exe is a .NET file  capable of file exfiltration. It uses the same Google Doc document and C2 as the vstservice.exe plugin. Two sets of files can be exfiltrated. The first set is a periodic sending of files generated by other plugins that do not include a C2 mechanism themselves. The second set of files is specified by the C2 as seen in Figure 12.

Figure 12: C2 response specifying file for exfiltration

The “id” parameter is hardcoded and the “pc” parameter is the bot ID. The file is then sent to the C2 as seen in Figure 13.

Figure 13: File exfiltration

This plugin also includes unused, benign URLs as seen below:

mdriver.exe – Keylogger Plugin

SHA256: 600e7cfeea0ef8bd23cf95602a6b873898aa51848909aad1a7e8d4c5403797af

Compilation Date: 2018-01-03 08:14:19

PDB Path: C:\Users\803\Desktop\ytyboth\yty 2.0\Release\mdriver.pdb

This plugin is written in C++ and is a key logger. It checks/creates a mutex named “twotwo“, uses the Windows SetWindowsHookEx and SetWinEventHook APIs to perform its key logging, and then relies on abobe.exe to exfiltrate the captured key strokes. Figure 14 shows an example of exfiltrated key log data.

Figure 14: Key log exfiltration

dspcheck.exe – Screenshot Plugin

SHA256: 7d893d4f077e8e76a44a7830c5c3806dc956a6ef1a06c9f2dc33477c70f8cc9b

Compilation Date: 2018-01-09 08:33:36

PDB Path: D:\Soft\DevelopedCode\yty 2.0\Release\dspcheck.pdb

dspcheck.exe is a screenshot plugin written in .NET. This plugin also shows evidence that the actors are continuing their testing efforts as seen in Figure 15.

Figure 15: Screenshot code shows testing evidence

It has the beginnings of C2 functionality, but this sample still relies on abobe.exe to send screenshots back to the C2, see Figure 16.

Figure 16: Screenshot exfiltration

mboard.exe – System Information Plugin

Packed SHA256: 50281cdd1b22f2b85de5809bf69ebd10e399410f519e357c1cb941c5dc7c95e1

The last plugin seen in this framework was mboard.exe. It is written in Golang and is packed with UPX. The purpose of this plugin is to gather various system information such as the following:

The collected is saved into multiple files with a “qr” extension appended. They are then sent to the C2 via abobe.exe. An example showing the running process list being sent to the C2 is shown in Figure 17.

Figure 17: Running process list exfiltration

Appendix A (IOCs):

SHA256 Hashes










C2 Domains








C2 IP Addresses