DeathStalker APT Attacked SMBs with Cyber Espionage Tools

Recently, Kaspersky researchers discovered DeathStalker APT, a sophisticated hacker-for-hire group, launching large-scale commercial cyber-espionage campaigns, against targets spread from Europe to Latin America.

DeathStalker, the mercenary

Active since at least 2012, DeathStalker APT has been attacking SMBs, as well as larger businesses and government organizations.
  • Researchers linked the DeathStalkers’ activities to the three earlier tracked malware families: Powersing, Evilnum, and Janicub.
  • The group’s infection chain has been attacking organizations operating in private sectors, such as law offices, wealth consultancy firms, and financial technology companies.
  • DeathStalker leverages legitimate social media, blogging, and messaging services, such as Google+, Imgur, Twitter, and YouTube, as a dead drop resolver to evade detection.

A menacing triumvirate

The DeathStalker group used three toolchains, named Janicab, Powersing, and Evilnum.
  • An analysis by Kaspersky researchers suggests that these malware toolchains are used to gain a foothold inside the victim’s network. Their key role is to enable the deployment of further payloads.
  • Evilnum was found spying on its targets to obtain financial information from both the targeted companies and their customers in July 2020.
  • Since March 2020, DeathStalker notably leveraged COVID-19 theme for both Janicub and Powersing implant deployment.

Conclusion

Judging by its continuous activity, it is anticipated that DeathStalker will continue to remain a threat with new tools employed to impact organizations globally. Similar to the previously discovered hacker-for-hire group named ‘Deceptikons’, such hackers are emerging as a unique player in the cyber threat landscape.