Kaspersky researchers publish details of cyber-threat group DeathStalker

Photo by Markus Spiske

While state-sponsored threat actors and sophisticated attacks are often in the spotlight, businesses today are faced with a whole array of more immediate threats. These range from ransomware and data leaks to commercial espionage, and result in no less damage to the organizations’ operations or reputation. These attacks are carried out by mid-level malware orchestrators and sometimes, by hacker-for-hire groups, such as DeathStalker, which Kaspersky has been tracking since 2018.

DeathStalker is a unique threat group which mainly focuses on cyber-espionage against law firms and organizations in the financial sector. The threat actor is highly adaptive and notable for using iterative fast-paced approach to software design, making them able to execute effective campaigns.

Recent research enabled Kaspersky to link DeathStalker’s activity to three malware families, Powersing, Evilnum and Janicab, which demonstrates the breadth of the groups’ activity carried out since at least 2012.

While Powersing has been traced by the security vendor since 2018, the other two malware families have been reported on by other cybersecurity vendors. Analysis of code similarities and victimology between the three malware families enabled researcher to link them to each other with medium confidence.

The threat actors’ tactics, techniques and procedures remained unchanged over the years: they rely on tailored spear-phishing e-mails to deliver archives containing malicious files. When the user clicks the shortcut, a malicious script is executed and downloads further components from the internet. This allows attackers to gain control over the victim’s machine.

One of the example is the use of Powersing, a Power-Shell-based implant that was the first detected malware from this threat actor. Once the victim’s machine has been infected, the malware is able to capture periodic screenshots and execute arbitrary Powershell scripts. Using alternative persistence methods depending on the security solution detected on an infected device, the malware is able to evade detection, signaling to the groups’ ability to perform detection tests before each campaign and update the scripts in line with the latest results.

In the campaigns using Powersing, DeathStalker also employs a well-known public service to blend in initial backdoor communications into legitimate network traffic, thereby limiting the defenders’ ability to hinder their operations. Using dead-drop resolvers – hosts of information that point to additional command and control infrastructure – placed on a variety legitimate social media, blogging and messaging services, the actor was able to evade detection and quickly terminate a campaign. Once victims are infected, they will reach out to and be redirected by these resolvers, thus hiding the communication chain.

DeathStalker activity has been detected across the world, further signifying the size of their operations. Powersing-related activities were identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates. Kaspersky also located Evilnum victims in Cyprus, India, Lebanon, Russia, and the United Arab Emirates. 

Comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT, “DeathStalker is a prime example of a threat actor that organizations in the private sector need to defend themselves against. While we often focus on the activities carried out by APT groups, DeathStalker remind us that organizations that are not traditionally the most security-conscious need to be aware of becoming targets too.

“Furthermore, judging by their continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organizations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too. 

“To stay protected from DeathStalker, we advise organizations to disable the ability to use scripting languages, such as powershell.exe and cscript.exe, wherever possible. We also recommend that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.”

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest threat intelligence (TI)
  • Make sure the right endpoints protection is in place
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills