DeathStalker: detailed look at a mercenary APT group that spies on small and medium businesses
August 2020 by Kaspersky
Kaspersky researchers have published a detailed overview of DeathStalker, a ‘mercenary’ advanced persistent threat (APT) group that has been leveraging efficient espionage attacks on small and medium-sized firms in the financial sector since at least 2012. The most recent discoveries demonstrate that the group has been targeting companies all over the world, from Europe to Latin America, highlight why cybersecurity protection is a necessity for small and medium-size organisations.
While state-sponsored threat actors and sophisticated attacks are often in the spotlight, businesses today are faced with a whole array of more immediate threats. These range from ransomware and data leaks to commercial espionage, and result in no less damage to the organisations’ operations or reputation. These attacks are carried out by mid-level malware orchestrators and sometimes, by hacker-for-hire groups, such as DeathStalker, which Kaspersky has been tracking since 2018.
DeathStalker is a unique threat group which mainly focuses on cyberespionage against law firms and organisations in the financial sector. The threat actor is highly adaptive and notable for using iterative fast-paced approach to software design, making them able to execute effective campaigns.
Recent research enabled Kaspersky to link DeathStalker’s activity to three malware families, Powersing, Evilnum and Janicab, which demonstrates the breadth of the groups’ activity carried out since at least 2012. While Powersing has been traced by the security vendor since 2018, the other two malware families have been reported on by other cybersecurity vendors. Analysis of code similarities and victimology between the three malware families enabled researcher to link them to each other with medium confidence.
The threat actors’ tactics, techniques and procedures remained unchanged over the years: they rely on tailored spear-phishing e-mails to deliver archives containing malicious files. When the user clicks the shortcut, a malicious script is executed and downloads further components from the internet. This allows attackers to gain control over the victim’s machine.
One of the example is the use of Powersing, a Power-Shell-based implant that was the first detected malware from this threat actor. Once the victim’s machine has been infected, the malware is able to capture periodic screenshots and execute arbitrary Powershell scripts. Using alternative persistence methods depending on the security solution detected on an infected device, the malware is able to evade detection, signaling to the groups’ ability to perform detection tests before each campaign and update the scripts in line with the latest results. In the campaigns using Powersing, DeathStalker also employs a well-known public service to blend in initial backdoor communications into legitimate network traffic, thereby limiting the defenders’ ability to hinder their operations. Using dead-drop resolvers – hosts of information that point to additional command and control infrastructure – placed on a variety legitimate social media, blogging and messaging services, the actor was able to evade detection and quickly terminate a campaign. Once victims are infected, they would reach out to and be redirected by these resolvers, thus hiding the communication chain.
An example of a dead-drop resolver hosted on a legitimate public service DeathStalker activity has been detected across the world, further signifying the size of their operations. Powersing-related activities were identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. Kaspersky also located Evilnum victims in Cyprus, India, Lebanon, Russia, and the United Arab Emirates. Detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers, can be accessed via the Kaspersky Threat Intelligence Portal.
“DeathStalker is a prime example of a threat actor that organisations in the private sector need to defend themselves against. While we often focus on the activities carried out by APT groups, DeathStalker remind us that organisations that are not traditionally the most security-conscious need to be aware of becoming targets too. Furthermore, judging by their continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organisations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too,” comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. “To stay protected from DeathStalker, we advise organisations to disable the ability to use scripting languages, such as powershell.exe and cscript.exe, wherever possible. We also recommend that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.”
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
• Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
• Make sure the right endpoints protection is in place, such as, for example, Kaspersky’s Integrated Endpoint Security solution. This combines endpoint security with sandbox and EDR functionality enabling effective protection from advanced threats and instant visibility over the malicious activity detected on corporate endpoints.
• As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills - for example through the Kaspersky Automated Security Awareness Platform.