Recently researchers from the cybersecurity domain discovered a sophisticated hacker-for-hire group called Deathstalker. This group has been launching large-scale commercial cyber-espionage campaigns, against targets spread from Europe to Latin America.
DeathStalker APT has been active since 2012 and as been attacking SMBs, as well as larger businesses and government organizations. It was also noticed targeting a Diplomatic entity.
Three earlier tracked malware families: Powersing, Evilnum, and Janicub have been linked with the activities of the new DeathStalker group. Organizations operating in private sectors, such as law offices, wealth consultancy firms, and financial technology companies have been targeted by the group’s infection chain. As a dead drop resolver to evade detection, DeathStalker leverages legitimate social media, blogging, and messaging services, such as Google+, Imgur, Twitter, and YouTube.
Three different toolchains have been used by the DeathStalker group, namely Janicab, Powersing, and Evilnum.
An analysis of these toolchains suggests that they are used to gain a foothold inside the victim’s network while their key role being the further deployment of payloads. To obtain financial information from both the targeted companies and their customers, Evilnum was found spying on them in the month of July this year. Since March 2020, DeathStalker notably leveraged the COVID-19 theme for both Janicub and Powersing implant deployment.
With new tools employed to impact organizations globally, it is anticipated that DeathStalker will continue to remain a threat, judging by its continuous activity. Similar to the previously discovered hacker-for-hire group named ‘Deceptikons’, such hackers are emerging as a unique player in the cyber threat landscape.
Our security experts advise users and organizations, to be vigilant towards any process creation towards native windows interpreters for scripting languages, such as a powershell.exe as well as a cscript.exe. These utilities should be made unavailable whenever possible. It is also recommended that’s in future awareness training and security product assessments include infection chains based on LNK files.
To read more, please check eScan Blog
