DeathStalker targeting law firms and financial services (Image CreditL מינוזיג on Wikipedia)Kaspersky has lifted the veil on APT group DeathStalker. DeathStalker is a mercenary group that targets small and medium-sized law and financial services firms. Kaspersky believes that it is a hacking-for-hire service and information broker. It has now been linked with attacks in several countries and three scripting language-based toolchains.

The detailed overview of DeathStalker has been written by Kaspersky researchers Ivan KwiatkowskiPierre DelcherMaher Yamout. In it, they write: “As far as we can tell, this actor isn’t motivated by financial gain. They don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly associated with the cybercrime underworld.

“Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.”

Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT
Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT

According to Kwiatkowski: “DeathStalker is a prime example of a threat actor that organisations in the private sector need to defend themselves against. While we often focus on the activities carried out by APT groups, DeathStalker remind us that organisations that are not traditionally the most security-conscious need to be aware of becoming targets too.

“Furthermore, judging by their continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organisations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too.”

Who is DeathStalker targeting?

The blog is careful not to name any victims directly. It does state that it has confirmed attacks in 12 countries. It seems that DeathStalker often uses different tools for specific countries. Those countries where it has been identified as being active include: Argentina, China, Cyprus, India, Israel, Lebanon, Russia, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.

Surprisingly, the USA does not figure in this list of countries nor do many tax havens. Why that is, Kaspersky doesn’t say. After all, if looking to be an information broker in financial circles, data from tax havens would be highly prized.

There also appears to be little overlap between the tools used to attack countries. Only Cyprus, Lebanon and the United Arab Emirates have been hit by more than one of the tools that DeathStalker uses.

In addition to law firms and financial technology services, Kaspersky also says it has seen attacks against wealth consultancy firms. There is also the claim that it was seen targeting an unnamed diplomatic entity.

What will interest other researchers is attacks against financial technology service firms. The question is whether DeathStalker has succeeded in embedding any code inside software products. If so, the list of potential targets could be substantial. Enterprise Times has asked Kaspersky if it has seen any evidence of this or whether the attacks are simply one-off events.

A three-headed toolchain

The researchers also called out three scripting language-based toolchains in use by DeathStalker. Unsurprisingly, spear-phishing emails using malicious attachments such as LNK files are its primary attack vector. This is common across all three toolchains.

What is also common across all three toolchains, and one of the reasons that the researchers are linking them to DeathStalker is the use of dead drop resolvers. This is where the attacker posts a message to a public service with an encoded link. Users clicking on the links are immediately subjected to attack.

In the blog, the researchers list several sites where they have seen dead drop resolvers that are used by the Powersing toolchain. It includes:

  • Google+
  • Imgur
  • Reddit
  • ShockChan
  • Tumblr
  • Twitter
  • YouTube
  • WordPress

They also admit that this is unlikely to be an exhaustive list. The dead drop resolvers connect further into the Powersing attack chain than the LNK files. However, the result is the same, a foothold on the infected device from which DeathStalker can launch further attacks and download additional malware.

The researchers also call out connections to the Janicab and Evilnum malware families. It is important to note that in the details of the blog, the researchers say these are both possible connections worth investigating. In the blog summary, they list several similarities that overlap all three families. Any further investigation should determine if the overlaps are coincidence or deliberate.

Kwiatkowski has some advice for organisations looking to protect themselves from DeathStalker. He says: “To stay protected from DeathStalker, we advise organisations to disable the ability to use scripting languages, such as powershell.exe and cscript.exe, wherever possible. We also recommend that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.”

Enterprise Times: What does this mean?

Anyone who thinks that cybercrime groups are all about ransomware and data breaches needs to think again. There are multiple models in use that allow organisations to monetise their skills. DeathStalker has decided to sit further back than many and, in the words of the researchers, act as mercenaries. While they are carrying out the attack, they are not extorting money from the victims. It allows them a degree of separation and reduces their own visibility to those tracking them.

The focus on a small chain of targets also makes sense. SMEs are often under-resourced when it comes to cybersecurity. They lack people, skills and the tools required to defend themselves. In addition, by focusing on a narrow field on industries, DeathStalker can spend its time looking for exploits in a small set of critical software. That not only allows them to become very dangerous adversaries but also allows them to charge premium prices to their customers.

Kaspersky has posted its list of Indicators of Compromise that DeathStalker is using when targeting an organisation. This includes the C&C servers that distribute the code to infected machines. Any law practice, wealth management and financial services firm should take note and update their defences.


Please enter your comment!
Please enter your name here