The notorious hacker-for-hire APT group DeathStalker was detected in the United States for the first time this year, Kaspersky has confirmed. Prior to today’s report, the group had mostly been observed in Europe and Asia.
In a release posted earlier today, Kaspersky researchers also reported that the attack featured a new strain of malware from DeathStalker that was spotted in the wild. The malware centers around a backdoor that the researchers dubbed PowerPepper, which aims to take over user devices.
Kaspersky said PowerPepper leverages DNS over HTTPS as a communications channel to hide communications with the control server behind legitimate-looking traffic. PowerPepper also uses several evasion techniques, including steganography to disguise data.
Active since at least 2012, DeathStalker conducts espionage against small and medium-sized businesses, mostly law firms and financial services organizations. Unlike other APT groups, DeathStalker doesn’t appear to have political motivations or seek direct financial gain from the companies they target. The group acts as mercenaries, offering their hacking services for a fee.
The new PowerPepper strain typically spreads like other malware associated with this group, via spearphishing emails with the malicious files delivered via the email body or with a malicious link.
Ivan Righi, cyber threat intelligence analyst at Digital Shadows, said DeathStalker specializes in stealing trade secrets by leveraging PowerShell-based implants. The group has been known to take advantage of international events such as COVID-19 to deliver attacks. Righi said DeathStalker's tactics have effectively deceived security mechanisms because they cleverly embed malicious code within posts on social media sites such as YouTube, WordPress, Tumblr, Twitter, and Reddit.
According to Righi, DeathStalker’s attacks have been previously detected in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK, and the United Arab Emirates. Security researchers also suspect that the group has links to the Janicab and Evilnum malware variants.
Righi added that DeathStalker likely targeted the U.S. and other North American countries in previous campaigns. However, reports since July 2020 indicate that the group has focused its attacks on Europe, Asia, and Latin America. Deathstalker was known as Deceptikons prior to August 2020.
“To protect against DeathStalker’s potential attacks, small- and medium-sized businesses should pay special attention to processes that are launched by scripting language interpreters, in particular, powershell.exe and cscript.exe, and use endpoint detection and response mechanisms,” Righi said. “Businesses should also implement effective security awareness programs to teach employees to identify suspicious emails and report them to the company's security team for analysis.”