Hackers for hire have presented persistent threats across the world, but new evasion techniques make small- and medium-sized enterprises most vulnerable.

A ‘mercenary’ advanced persistent threat (APT) group has been leveraging efficient espionage attacks on small and medium-sized enterprises (SMEs) in the financial sector since at least 2012. The most recent discoveries demonstrate that the group DeathStalker has spread across Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.

Victims have also been seen in Cyprus, India, Lebanon, Russia, and the United Arab Emirates, further signifying the size of DeathStalker operations, and highlighting why cybersecurity protection is a necessity for small and medium-size organizations.

While state-sponsored threat actors and sophisticated attacks are often in the spotlight, businesses today are faced with a whole array of more immediate threats. These range from ransomware and data leaks to commercial espionage, and result in no less damage to the organizations’ operations or reputation. These attacks are carried out by mid-level malware orchestrators and sometimes, by hackers-for-hire groups, such as DeathStalker, which cybersecurity specialist Kaspersky has been tracking since 2018.

Its name is DeathStalker

This unique threat group mainly focuses on cyberespionage against law firms and organizations in the financial sector. The threat actor is highly adaptive and is noted for using an iterative fast-paced approach to software design to execute effective campaigns.

This piqued Kaspersky researchers to link DeathStalker’s activity to three malware families, Powersing, Evilnum and Janicab, which demonstrates the breadth of the groups’ activity carried out since at least 2012. While Powersing has been traced by Kaspersky since 2018, the other two malware families have been reported on by other cybersecurity vendors. Analysis of code similarities and victimology between the three malware families has enabled researchers to link them to each other with medium confidence.

TTPs remain identifiable

The threat actors’ tactics, techniques and procedures (TTPs) have remain unchanged over the years: they rely on tailored spear-phishing e-mails to deliver archives containing malicious files. When the user clicks the shortcut, a malicious script is executed and it downloads further components from the internet. This allows attackers to gain control over the victim’s machine.

One example is the use of Powersing, a PowerShell-based implant that was the first detected malware from this threat actor. Once the victim’s machine has been infected, the malware is able to capture periodic screenshots and execute arbitrary PowerShell scripts. Using alternative persistence methods depending on the security solution detected on an infected device, the malware is able to evade detection, signaling to the groups’ ability to perform detection tests before each campaign and update the scripts in line with the latest results.

In the campaigns using Powersing, DeathStalker also employs a well-known public service to blend in initial backdoor communications into legitimate network traffic, thereby limiting the defenders’ ability to hinder their operations. Using dead-drop resolvers—hosts of information that point to additional command and control infrastructure—placed on a variety legitimate social media, blogging and messaging services, the actor was able to evade detection and quickly terminate a campaign. Once victims are infected, they would reach out to and be redirected by these resolvers, thus hiding the communication chain.

Popular social and media platforms such as Reddit, Twitter, YouTube, Google+ and Tumblr can be used to store malware code conveniently for evading defenders.

Disable scripting support

According to Ivan Kwiatkowski, Senior Security Researcher, Kaspersky: “DeathStalker is a prime example of a threat actor that organizations in the private sector need to defend themselves against. While we often focus on the activities carried out by APT groups, DeathStalker reminds us that organizations that are not traditionally the most security-conscious need to be aware of becoming targets too. Furthermore, judging by their continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organizations.”

DeathStalker, in a sense, is proof that SMEs need to invest in security and awareness training too. “To stay protected from DeathStalker, we advise organizations to disable the ability to use scripting languages, such as powershell.exe and cscript.exe, wherever possible. We also recommend that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.”