We discovered additional insights complementing the CYFIRMA Research report on the 'QWERTY Stealer' sample (369d8855d2531dce55d046735ff9a26ee4441f3f4509aad35f570c0a0b567c5d).
Our analysis attributes this sample to the DoNot_Downloader family, which is linked to APT_C_35, also known as the DoNotTeam.
Our attribution is based on function level code reuse, with 65 functions in the QWERTY Stealer sample matching those found in previous DoNot_Downloader variants.
Additionally, our code search engine automatically found that the Cyfirma sample shares a 90% code overlap with a previous variant (4ef9133773d596d1c888b0ffe36287a810042172b0af0dfad8c2b0c9875d1c65) identified as DoNot Downloader by Check Point Software in a report from spring 2024.
This finding is further validated by the “donot_downloader” Yara rule from the Checkpoint report, which matches both samples to the DoNot_Downloader family.
The only difference between the two samples, is that the Cyfirma sample is missing persistence functionality.
