yty

In late January 2018, ASERT discovered a new modular malware framework known as "yty". This malicious software, designed to exploit and damage computer systems, was found to be associated with the Donot Team, a group known for its use of modular/plugin-based malware frameworks. The yty malware focuses on file collection, screenshots, and keylogging, indicating its primary function is data theft. It was also linked to a document tagged by Hybrid Analysis as “Viceroy Tiger”, although there has been limited recent public information to further corroborate this connection. The yty malware framework exhibits an evolution from EHDevel, suggesting that the threat actors are continually improving and modifying their malware framework, thereby increasing their sophistication. However, Unit 42's preliminary binary diffing analysis for many of the BackConfig executable files did not find any non-library function overlaps, implying that the payloads are not based on the YTY or EHDev frameworks. The yty framework introduces three common names seen in the rest of the malware: “yty” from the PDB path string, “bigdata” from the schtasks /tn (taskname) parameter used in the persistence mechanism, and "setup.exe" as part of the unique strings setup. The Donot Team has been found to deploy two distinct attack chains; one for deploying the known Agent K11 framework and another for deploying the RTY framework, a successor of YTY AES. Additionally, India-aligned groups SideWinder and Donot Team have continued to target governmental institutions in South Asia, with the former targeting the education sector in China, and the latter continuing to develop the infamous yty framework while also deploying the commercially available Remcos RAT.