View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 25, 2020updated 26 Aug 2020 9:23am

DeathStalker APT Espionage Group is Targeting Financial Firms in Search of Trade Secrets

"Our experts believe that the cyber criminals study the target and fine-tune their scripts for each attack” Say Kaspersky

By claudia glover

A threat group that specialises in stealing trade secrets is targeting businesses in the financial sector.

The attack-as-a-service cyberspy gang dubbed DeathStalker has prayed on fintech companies, law firms and financial advisors, as well as at least one diplomatic entity. Targets were spread across Europe, the Middle East, Asia and Latin America according to Russian security company Kaspersky, which uncovered the group’s activities.

It says Deathstalker has been active since 2018, possibly even since 2012, and their use of a power-shell based implant called Powersing has allowed them to be tracked by the security company. 

The researchers who have been tracking Deathstalker’s activities, Ivan Kwiatkowski, Pierre Delcher and Maher Yamout, said in a blog post: “As far as we can tell, this actor isn’t motivated by financial gain. They don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly associated with the cybercrime underworld.

“Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.”

Attack-As-A-Service Cyberspy Gang DeathStalker

“At all stages” Kaspersky’s threat report reads “This malware uses various methods to bypass security technologies, and its choice of method depends on the target. Our experts believe that the cyber criminals study the target and fine-tune their scripts for each attack”. 

DeathStalker’s calling card, the Powersing implant, periodically takes screenshots of the victim’s machine to send back to the Control and Command (C&C) server, while also executing additional scripts downloaded from the C&C server, in order to get a foothold on the victim’s machine to launch additional tools. A C&C server is a computer that issues directives to devices that have been infected by malware. 

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

The “Dead Drop Resolver”

An interesting aspect of the group’s attack is their use of something that Kaspersky calls the “dead drop resolver”. This is where the malicious code uploaded to the compromised device (through a spear phishing attack) is not sent from the C&C server.

Read This: Kaspersky Identifies All-Singing, Multi-OS Malware Framework Dubbed “MATA”

The encrypted code has already been posted on a public platform, and has been designed to activate the next stage of the attack when accessed by the victim’s machine.

The “dead drop resolver” or publicly accessible encrypted code will look something like this.      Image @ SecureList


Public platforms that contained the encrypted activation code, or dead drop resolver, are Google+, Imgur, Reddit, ShockChan, Tumblr, Twitter, YouTube and WordPress, according to a post on SecureList, Kaspersky’s research blog. 

How To Keep DeathStalker Out

While the APT group’s techniques are not hugely complex, their tools are designed to bypass many security solutions. To protect a system or device against DeathStalker Kaspersky recommends that IT employees:

“Pay special attention to processes that are launched by scripting language interpreters, including in particular powershell.exe and cscript.exe. If you have no objective need for them to perform business tasks, disable them”

“Watch out for attacks that are perpetrated by LNK files spread through e-mail messages.

“Use advanced protective technologies, including EDR-class solutions”.

Don’t Leave Before You’ve Read This: AVEVA Snaps Up OSIsoft for $5 Billion and Has Big Plans for the Cloud

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy