APT actor DeathStalker is targeting companies in the forex and cryptocurrency market. The evasive tech and stealth "VileRAT" toolset is distributed via spear phishing. Companies in Germany are also affected by the attacks.
Threat actor DeathStalker has updated its tech and stealth evasion “VileRAT” toolset to attack cryptocurrency and currency exchange businesses, recent Kaspersky analysis shows. The attacked organizations are located in Bulgaria, Cyprus, Germany, Kuwait, Malta, United Arab Emirates, Russia and the Grenadines.
Hack-for-Hire APT Actor
DeathStalker is a hack-for-hire APT actor whose activities Kaspersky has been tracking since 2018. So far, he has primarily targeted law firms and organizations in the financial sector; the attacks appeared to be neither politically nor financially motivated. Kaspersky experts believe that DeathStalker acts as a kind of mercenary group offering specialized hacking or financial intelligence services. In mid-2020, Kaspersky was able to identify a new and highly evasive infection based on the "VileRAT" Python implant. Since then, the experts have been closely following the player's activities and noted that in 2022 it is intensely focused on foreign exchange (FOREX) and cryptocurrency trading companies across the globe.
VileRAT is typically deployed after a complicated infection chain that starts with spear phishing emails. This summer, attackers also used chatbots embedded in affected companies' public websites to send malicious documents. The DOCX documents are often marked with the keywords "Compliance" or "Complaint" (and the name of the target company) and claim to be answers to supposed identification requests or problem reports.
Refined tools that camouflage themselves
The VileRAT campaign is notable for the sophistication of the tools used and the huge malicious infrastructure behind it (compared to the previously documented DeathStalker activities), the numerous obfuscation techniques used throughout the infection, as well as its continuous and sustained activity since 2020 out. The current campaign shows DeathStalker going to great lengths to gain and then gain access to its targets. The possible objectives of the attacks range from due diligence, asset recovery, assistance in litigation or arbitration to circumvention of sanctions; direct financial gain still does not appear to be part of it.
VileRaT shows no particular interest in certain countries; instead, Kaspersky researchers report affected organizations in Bulgaria, Cyprus, Germany, Kuwait, Malta, the United Arab Emirates, Russia and the Grenadines. The organizations identified are of all sizes, from newly formed start-ups to established industry leaders.
deceive, camouflage, hide
"The goal of DeathStalker has always been to evade detection," explains Pierre Delcher, senior security researcher in Kaspersky's Global Research & Analysis Team (GReAT). “The VileRAT campaign has now taken the whole thing to a new level. In terms of complexity and obfuscation, it's undoubtedly the most demanding campaign we've seen from this player. DeathStalker's tactics and practices are effective in attacking easier targets. They may not be experienced enough to withstand such an attack, may not have made security a top priority for their organization, or frequently interact with third parties who have not already done so.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/