View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 25, 2020updated 06 Jul 2022 8:39am

DeathStalker APT Espionage Group is Targeting Financial Firms in Search of Trade Secrets

"Our experts believe that the cyber criminals study the target and fine-tune their scripts for each attack” Say Kaspersky

By claudia glover

A threat group that specialises in stealing trade secrets is targeting businesses in the financial sector.

The attack-as-a-service cyberspy gang dubbed DeathStalker has prayed on fintech companies, law firms and financial advisors, as well as at least one diplomatic entity. Targets were spread across Europe, the Middle East, Asia and Latin America according to Russian security company Kaspersky, which uncovered the group’s activities.

It says Deathstalker has been active since 2018, possibly even since 2012, and their use of a power-shell based implant called Powersing has allowed them to be tracked by the security company. 

The researchers who have been tracking Deathstalker’s activities, Ivan Kwiatkowski, Pierre Delcher and Maher Yamout, said in a blog post: “As far as we can tell, this actor isn’t motivated by financial gain. They don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly associated with the cybercrime underworld.

“Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.”

Attack-As-A-Service Cyberspy Gang DeathStalker

“At all stages” Kaspersky’s threat report reads “This malware uses various methods to bypass security technologies, and its choice of method depends on the target. Our experts believe that the cyber criminals study the target and fine-tune their scripts for each attack”. 

DeathStalker’s calling card, the Powersing implant, periodically takes screenshots of the victim’s machine to send back to the Control and Command (C&C) server, while also executing additional scripts downloaded from the C&C server, in order to get a foothold on the victim’s machine to launch additional tools. A C&C server is a computer that issues directives to devices that have been infected by malware. 

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The “Dead Drop Resolver”

An interesting aspect of the group’s attack is their use of something that Kaspersky calls the “dead drop resolver”. This is where the malicious code uploaded to the compromised device (through a spear phishing attack) is not sent from the C&C server.

Read This: Kaspersky Identifies All-Singing, Multi-OS Malware Framework Dubbed “MATA”

The encrypted code has already been posted on a public platform, and has been designed to activate the next stage of the attack when accessed by the victim’s machine.

Public platforms that contained the encrypted activation code, or dead drop resolver, are Google+, Imgur, Reddit, ShockChan, Tumblr, Twitter, YouTube and WordPress, according to a post on SecureList, Kaspersky’s research blog. 

How To Keep DeathStalker Out

While the APT group’s techniques are not hugely complex, their tools are designed to bypass many security solutions. To protect a system or device against DeathStalker Kaspersky recommends that IT employees:

“Pay special attention to processes that are launched by scripting language interpreters, including in particular powershell.exe and cscript.exe. If you have no objective need for them to perform business tasks, disable them”

“Watch out for attacks that are perpetrated by LNK files spread through e-mail messages.

“Use advanced protective technologies, including EDR-class solutions”.

Don’t Leave Before You’ve Read This: AVEVA Snaps Up OSIsoft for $5 Billion and Has Big Plans for the Cloud

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.