DeathStalker hackers are targeting travel agencies in Egypt, Georgia, Saudi Arabia, the UAE, and the U.K with a new Janicab variant. The campaign traces back to early 2015 and involves several tools, backdoors, and Dead-Drop Resolvers (DDRs).
The latest discovery
According to Kaspersky researchers, DeathStalker is using phishing and spear-phishing emails with an LNK-based dropper inside a ZIP archive to lure victims.
- The file purports to be a corporate profile document related to power hydraulics that, when opened, drops a series of chained malware files.
- It leads to the deployment of the VBScript-based Janicab implant, which further initiates the deployment of a new LNK file in the Startup directory.
- It will start communicating with the DDRs—YouTube, Google+, and WordPress web services—to gather the actual C2 IP address for retrieving follow-on commands and exfiltrating data. Moreover, it is capable of deploying more tools.
Evolution of Janicab
Janicab is a VBS-based malware implant that was first launched in 2013 and could run on both macOS and Windows.
- Eight different Janicab versions have been found so far. The newer Janicab variants have most of the tools embedded and obfuscated within the dropper.
- The group has added a DLL-based keylogger or screen capture utility that overlaps with prior Powersing attacks. It was mostly embedded inside CAB files as extra resources or as a HEX bytes array.
- The group has removed audio recording features and added additional functions for checking for installed antivirus products and getting a list of processes indicating malware analysis.
Conclusion
The group has continued to update its malware toolset to maintain stealth over extended periods of time. DeathStalker harvests sensitive business information from its victims, indicating it is either offering hacking-for-hire services or acting as some sort of information broker in financial circles. Affected industries are suggested to proactively prepare for such intrusions and update their strategies to prevent cyberattacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/d7d4_shutterstock_641115634.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d096_shutterstock_2077936345.jpg)
