DeathStalker: detailed look at a mercenary APT group that spies on small and medium businesses

DeathStalker: detailed look at a mercenary APT group that spies on small and medium businesses

 

 

 

Kaspersky researchers have published a detailed overview

of DeathStalker, a ‘mercenary’ advanced persistent threat

(APT) group that has been leveraging efficient espionage

attacks on small and medium-sized firms in the financial

sector since at least 2012. The most recent discoveries

demonstrate that the group has been targeting companies

all over the world, from Europe to Latin America, highlight

why cybersecurity protection is a necessity for small and

medium-size organizations.

 

While state-sponsored threat actors and sophisticated
attacks are often in the spotlight, businesses today are
faced with a whole array of more immediate threats. These
range from ransomware and data leaks to commercial
espionage, and result in no less damage to the
organizations’ operations or reputation. These attacks are
carried out by mid-level malware orchestrators and
sometimes, by hacker-for-hire groups, such as
DeathStalker, which Kaspersky has been tracking since 2018.
DeathStalker is a unique threat group which mainly focuses
on cyberespionage against law firms and organizations in
the financial sector. The threat actor is highly adaptive and
notable for using iterative fast-paced approach to software
design, making them able to execute effective campaigns.
Recent research enabled Kaspersky to link DeathStalker’s
activity to three malware families, Powersing, Evilnum and
Janicab, which demonstrates the breadth of the groups’
activity carried out since at least 2012. While Powersing
has been traced by the security vendor since 2018, the
other two malware families have been reported on by other
cybersecurity vendors. Analysis of code similarities and
victimology between the three malware families enabled
researcher to link them to each other with medium confidence.
The threat actors’ tactics, techniques and procedures
remained unchanged over the years: they rely on tailored
spear-phishing e-mails to deliver archives containing
malicious files. When the user clicks the shortcut, a
malicious script is executed and downloads further
components from the internet. This allows attackers to gain
control over the victim’s machine.
One of the example is the use of Powersing, a Power-Shell-
based implant that was the first detected malware from
this threat actor. Once the victim’s machine has been
infected, the malware is able to capture periodic
screenshots and execute arbitrary Powershell scripts. Using
alternative persistence methods depending on the security
solution detected on an infected device, the malware is able
to evade detection, signaling to the groups’ ability to
perform detection tests before each campaign and update
the scripts in line with the latest results.
In the campaigns using Powersing, DeathStalker also
employs a well-known public service to blend in initial
backdoor communications into legitimate network traffic,
thereby limiting the defenders’ ability to hinder their
operations. Using dead-drop resolvers – hosts of
information that point to additional command and control
infrastructure – placed on a variety legitimate social media,
blogging and messaging services, the actor was able to
evade detection and quickly terminate a campaign. Once
victims are infected, they would reach out to and be
redirected by these resolvers, thus hiding the
communication chain.
An example of a dead-drop resolver hosted on a legitimate
public service
DeathStalker activity has been detected across the world,
further signifying the size of their operations. Powersing-
related activities were identified in Argentina, China,
Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the
United Kingdom and the United Arab Emirates. Kaspersky
also located Evilnum victims in Cyprus, India, Lebanon,
Russia, and the United Arab Emirates. Detailed information
on Indicators of Compromise related to this group,
including file hashes and C2 servers, can be accessed via
the Kaspersky Threat Intelligence Portal.
“DeathStalker is a prime example of a threat actor that
organizations in the private sector need to defend
themselves against. While we often focus on the activities
carried out by APT groups, DeathStalker remind us that
organizations that are not traditionally the most security-
conscious need to be aware of becoming targets too.
Furthermore, judging by their continuous activity, we
expect that DeathStalker will continue to remain a threat
with new tools employed to impact organizations. This
actor, in a sense, is proof that small and medium-sized
companies need to invest in security and awareness
training too,” comments Ivan Kwiatkowski, senior security
researcher at Kaspersky’s GReAT. “To stay protected from
DeathStalker, we advise organizations to disable the ability
to use scripting languages, such as powershell.exe and
cscript.exe, wherever possible. We also recommend that
future awareness training and security product
assessments include infection chains based on LNK
(shortcut) files.”
In order to avoid falling victim to a targeted attack by a
known or unknown threat actor, Kaspersky researchers
recommend implementing the following measures:
Provide your SOC team with access to the latest threat
intelligence (TI). The Kaspersky Threat Intelligence Portal
is a single point of access for the company’s TI, providing
cyberattack data and insights gathered by Kaspersky over
more than 20 years.
Make sure the right endpoints protection is in place, such
as, for example, Kaspersky’s Integrated Endpoint Security
solution. This combines endpoint security with sandbox and
EDR functionality enabling effective protection from
advanced threats and instant visibility over the malicious
activity detected on corporate endpoints.
As many targeted attacks start with phishing or other social
engineering techniques, introduce security awareness
training and teach practical skills – for example through the
Kaspersky Automated Security Awareness Platform.
Read the full overview of DeathStalker on Securelist.com.
Learn more about this APT group’s activity in the upcoming
webinar GReAT Ideas. Powered by SAS: advancing on new
fronts – tech, mercenaries and more, which will take place
on August 26 at 2 pm GMT. Register for free here:
https://kas.pr/v1oj

شاهد أيضاً

BingX Champions

BingX Champions Accessibility to Users as Strategic Sponsor at Paris Blockchain Week

In a significant move highlighting its commitment to the blockchain industry, the leading cryptocurrency exchange BingX has …

اترك تعليقاً

لن يتم نشر عنوان بريدك الإلكتروني. الحقول الإلزامية مشار إليها بـ *