yty

Malware updated 7 days ago (2024-11-29T14:11:12.375Z)
Download STIX
Preview STIX
In late January 2018, ASERT discovered a new modular malware framework known as "yty". This malicious software, designed to exploit and damage computer systems, was found to be associated with the Donot Team, a group known for its use of modular/plugin-based malware frameworks. The yty malware focuses on file collection, screenshots, and keylogging, indicating its primary function is data theft. It was also linked to a document tagged by Hybrid Analysis as “Viceroy Tiger”, although there has been limited recent public information to further corroborate this connection. The yty malware framework exhibits an evolution from EHDevel, suggesting that the threat actors are continually improving and modifying their malware framework, thereby increasing their sophistication. However, Unit 42's preliminary binary diffing analysis for many of the BackConfig executable files did not find any non-library function overlaps, implying that the payloads are not based on the YTY or EHDev frameworks. The yty framework introduces three common names seen in the rest of the malware: “yty” from the PDB path string, “bigdata” from the schtasks /tn (taskname) parameter used in the persistence mechanism, and "setup.exe" as part of the unique strings setup. The Donot Team has been found to deploy two distinct attack chains; one for deploying the known Agent K11 framework and another for deploying the RTY framework, a successor of YTY AES. Additionally, India-aligned groups SideWinder and Donot Team have continued to target governmental institutions in South Asia, with the former targeting the education sector in China, and the latter continuing to develop the infamous yty framework while also deploying the commercially available Remcos RAT.
Description last updated: 2024-05-04T17:44:36.551Z
What's your take? (Question 1 of 2)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Remcos
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sidewinder Threat Actor is associated with yty. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its uUnspecified
2