SMBs assaulted by ‘mercenary’ DeathStalker APT espionage campaigns

The hacker collective known as DeathStalker has recently widened its footprint to include small to medium-sized business (SMB) targets in the financial sector throughout Europe, Middle East, Asia and Latin America.

Deathstalker’s tactics, techniques and procedures aren’t different from when it first emerged as a hacker-for-hire, according to Kaspersky, which tracked Deathstalker’s activities for the past three years. 

Calling Deathstalker “a mercenary advanced persistent threat (APT),” a Kaspersky report said it aims espionage-focused campaigns packing three families of malware – Powersing, Evilnum, and Janicab – at unsuspecting SMB financial and law firms.

Researchers identified Deathstalker attacks using Powersing in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. Other security firms, they said, tracked the hacker group’s use of Evilnum on victims in Cyprus, India, Lebanon, Russia and the UAE.

The first malware detected from DeathStalker was Powersing, a Power-Shell-based implant. Once the victim’s machine has been infected with Powersing, the malware is able to capture periodic screenshots and execute arbitrary Powershell scripts.

Using alternative persistence methods, depending on the security solution detected on an infected device, the malware can evade detection, indicating the “highly adaptive” group’s ability to perform detection tests before each campaign and update the scripts in line with the latest results, Kaspersky reported.

The malware evades detection by blending initial backdoor communications into legitimate network traffic, thereby limiting the defenders’ ability to hinder their operations.

The attack uses dead-drop resolvers, which host information that point to additional command and control infrastructure placed on a variety of legitimate social media, blogging and messaging services. This enables DeathStalker to adeptly avoid detection and quickly terminate a campaign. Once infected, resolvers hide the communication chain.

To safeguard against DeathStalker, Kaspersky advised organizations to disable the ability to use scripting languages, such as powershell.exe and cscript.exe, wherever possible. Researchers also recommended including infection chains based on LNK (shortcut) files in future awareness training and security products.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.