A threat group that specialises in stealing trade secrets is targeting businesses in the financial sector.
The attack-as-a-service cyberspy gang dubbed DeathStalker has prayed on fintech companies, law firms and financial advisors, as well as at least one diplomatic entity. Targets were spread across Europe, the Middle East, Asia and Latin America according to Russian security company Kaspersky, which uncovered the group’s activities.
It says Deathstalker has been active since 2018, possibly even since 2012, and their use of a power-shell based implant called Powersing has allowed them to be tracked by the security company.
The researchers who have been tracking Deathstalker’s activities, Ivan Kwiatkowski, Pierre Delcher and Maher Yamout, said in a blog post: “As far as we can tell, this actor isn’t motivated by financial gain. They don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly associated with the cybercrime underworld.
“Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.”
Attack-As-A-Service Cyberspy Gang DeathStalker
“At all stages” Kaspersky’s threat report reads “This malware uses various methods to bypass security technologies, and its choice of method depends on the target. Our experts believe that the cyber criminals study the target and fine-tune their scripts for each attack”.
DeathStalker’s calling card, the Powersing implant, periodically takes screenshots of the victim’s machine to send back to the Control and Command (C&C) server, while also executing additional scripts downloaded from the C&C server, in order to get a foothold on the victim’s machine to launch additional tools. A C&C server is a computer that issues directives to devices that have been infected by malware.
The “Dead Drop Resolver”
An interesting aspect of the group’s attack is their use of something that Kaspersky calls the “dead drop resolver”. This is where the malicious code uploaded to the compromised device (through a spear phishing attack) is not sent from the C&C server.
The encrypted code has already been posted on a public platform, and has been designed to activate the next stage of the attack when accessed by the victim’s machine.
Public platforms that contained the encrypted activation code, or dead drop resolver, are Google+, Imgur, Reddit, ShockChan, Tumblr, Twitter, YouTube and WordPress, according to a post on SecureList, Kaspersky’s research blog.
How To Keep DeathStalker Out
While the APT group’s techniques are not hugely complex, their tools are designed to bypass many security solutions. To protect a system or device against DeathStalker Kaspersky recommends that IT employees:
“Pay special attention to processes that are launched by scripting language interpreters, including in particular powershell.exe and cscript.exe. If you have no objective need for them to perform business tasks, disable them”
“Watch out for attacks that are perpetrated by LNK files spread through e-mail messages.
“Use advanced protective technologies, including EDR-class solutions”.