The Hacker News reports that improvements have been introduced by the DoNot Team operation, also known as Viceroy Tiger and APT-C-35, to its Jaca Windows malware toolkit, including a new stealer module for exfiltrating browser-stored data.
Numerous versions of DoNot Team's yty malware framework, including Jaca, have been found in the group's attacks against South Asian military entities, with the operation leveraging RTF documents to facilitate shellcode piece execution that eventually leads to a second-stage shellcode download from its command-and-control server, according to a Morphisec report. A DLL file is then retrieved by the second-stage from a separate remote server prior to the commencement of the infection.
The report also showed that updated Jaca modules have enabled exfiltration of web browser-stored information, files, screenshots, and keystrokes.
"Defending against APTs like the DoNot Team requires a Defense-in-Depth strategy that uses multiple layers of security to ensure redundancy if any given layers are breached," added researchers.
