Kaspersky researchers have published a detailed overview of DeathStalker, a ‘mercenary’ advanced persistent threat (APT) group that has been leveraging efficient espionage attacks on small and medium-sized firms in the financial sector since at least 2012.
Kaspersky researchers are sharing new details about DeathStalker, a mercenary advanced persistent threat (APT) group that has been leveraging efficient espionage attacks on small and medium-sized firms in the financial sector since at least 2012. The most recent discoveries demonstrate that the group has been targeting companies all over the world, from Europe to Latin America, and highlights why cybersecurity protection is a necessity for small and medium-size organizations.
DeathStalker is a hacker-for-hire group that Kaspersky has been tracking since 2018. They are a unique threat group that mainly focuses on cyber-espionage against law firms and organizations in the financial sector. The threat actor is highly adaptive and is known for using an iterative, fast-paced approach to software design, making them able to execute effective campaigns.
Recent research enabled Kaspersky to link DeathStalker’s activity to three malware families, Powersing, Evilnum and Janicab, which demonstrates the breadth of the groups’ activity carried out since at least 2012. While Powersing has been traced by the security vendor since 2018, the other two malware families have been reported by other cybersecurity vendors. Analysis of code similarities and victimology between the three malware families enabled researcher to link them to each other with medium confidence.
The threat actors’ tactics, techniques and procedures have remained unchanged over the years, relying on tailored spear-phishing emails to deliver archives containing malicious files. When the user clicks the shortcut, a malicious script is executed and downloads further components from the internet. This allows attackers to gain control over the victim’s machine.
One example is the use of Powersing, a Power-Shell-based implant that was the first detected malware from this threat actor. Once the victim’s machine has been infected, the malware is able to capture periodic screenshots and execute arbitrary Powershell scripts. Using alternative persistence methods, depending on the security solution detected on an infected device, the malware is able to evade detection, indicating the groups’ ability to perform detection tests before each campaign and update the scripts in line with the latest results.
In the campaigns using Powersing, DeathStalker also employs a well-known public service to blend in initial backdoor communications into legitimate network traffic, thereby limiting the defenders’ ability to hinder their operations. Using dead-drop resolvers (hosts of information that point to additional command and control infrastructure) placed on a variety legitimate social media, blogging and messaging services, the actor was able to evade detection and quickly terminate a campaign. Once victims are infected, they would reach out to and be redirected by these resolvers, thus hiding the communication chain.
DeathStalker activity has been detected across the world, further signifying the size of their operations. Powersing-related activities were identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. Kaspersky also located Evilnum victims in Cyprus, India, Lebanon, Russia and the United Arab Emirates.
“DeathStalker is a prime example of a threat actor that organizations in the private sector need to defend themselves against,” comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. “While we often focus on the activities carried out by APT groups, DeathStalker remind us that organizations that are not traditionally the most security-conscious need to be aware of becoming targets too. Furthermore, judging by their continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organizations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too. To stay protected from DeathStalker, we advise organizations to disable the ability to use scripting languages, such as powershell.exe and cscript.exe, wherever possible. We also recommend that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.”
