DeathStalker: detailed look at a mercenary APT group that spies on small and medium businesses

Woburn, MA – August 24, 2020 – Kaspersky researchers are sharing new details about DeathStalker, a mercenary advanced persistent threat (APT) group that has been leveraging efficient espionage attacks on small and medium-sized firms in the financial sector since at least 2012. The most recent discoveries demonstrate that the group has been targeting companies all over the world, from Europe to Latin America, and highlights why cybersecurity protection is a necessity for small and medium-size organizations.

 DeathStalker is a hacker-for-hire group that Kaspersky has been tracking since 2018. They are a unique threat group that mainly focuses on cyberespionage against law firms and organizations in the financial sector. The threat actor is highly adaptive and is known for using an iterative, fast-paced approach to software design, making them able to execute effective campaigns.

Recent research enabled Kaspersky to link DeathStalker’s activity to three malware families, Powersing, Evilnum and Janicab, which demonstrates the breadth of the groups’ activity carried out since at least 2012. While Powersing has been traced by the security vendor since 2018, the other two malware families have been reported by other cybersecurity vendors. Analysis of code similarities and victimology between the three malware families enabled researcher to link them to each other with medium confidence.

The threat actors’ tactics, techniques and procedures have remained unchanged over the years, relying on tailored spear-phishing emails to deliver archives containing malicious files. When the user clicks the shortcut, a malicious script is executed and downloads further components from the internet. This allows attackers to gain control over the victim’s machine.

One example is the use of Powersing, a Power-Shell-based implant that was the first detected malware from this threat actor. Once the victim’s machine has been infected, the malware is able to capture periodic screenshots and execute arbitrary Powershell scripts. Using alternative persistence methods, depending on the security solution detected on an infected device, the malware is able to evade detection, indicating  the groups’ ability to perform detection tests before each campaign and update the scripts in line with the latest results.

In the campaigns using Powersing, DeathStalker also employs a well-known public service to blend in initial backdoor communications into legitimate network traffic, thereby limiting the defenders’ ability to hinder their operations. Using dead-drop resolvers (hosts of information that point to additional command and control infrastructure) placed on a variety legitimate social media, blogging and messaging services, the actor was able to evade detection and quickly terminate a campaign. Once victims are infected, they would reach out to and be redirected by these resolvers, thus hiding the communication chain.

An example of a dead-drop resolver hosted on a legitimate public service

DeathStalker activity has been detected across the world, further signifying the size of their operations. Powersing-related activities were identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. Kaspersky also located Evilnum victims in Cyprus, India, Lebanon, Russia and the United Arab Emirates. Detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers, can be accessed via the Kaspersky Threat Intelligence Portal.

“DeathStalkeris a prime example of a threat actor that organizations in the private sector need to defend themselves against,” comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. “While we often focus on the activities carried out by APT groups,DeathStalkerremind us that organizations that are not traditionally the most security-conscious need to be aware of becoming targets too. Furthermore, judging by their continuous activity, we expect thatDeathStalkerwill continue to remain a threat with new tools employed to impact organizations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too. To stay protected fromDeathStalker,we advise organizations to disable the ability to use scripting languages, such as powershell.exe and cscript.exe, wherever possible. We also recommend that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.”

Read the full overview of DeathStalker on Securelist.com.

Learn more about this APT group's activity in the upcoming webinar GReAT Ideas. Powered by SAS: advancing on new fronts – tech, mercenaries and more, which will take place on August 26 at 2 pm GMT. Register for free here: https://kas.pr/v1oj

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Media Contact:

Cassandra Faro
Cassandra.Faro@Kaspersky.com
781-503-1812