The DeathStalker cyberspy group and its tool set

Our experts have identified a cybercriminal group that specializes in stealing trade secrets. Judging by its targets so far, the group is interested mainly in attacking fintech companies, law firms, and financial advisors, although in at least one case, it also attacked a diplomatic entity.

Such a choice of targets may indicate that this group, code-named DeathStalker, is either looking for particular information to sell or offering an “attack on demand” service. In other words, the group is mercenary.

The DeathStalker group has been active since 2018 or earlier, and possibly since 2012. Its use of the Powersing implant is what first caught our experts’ attention. More recent operations employ similar methods as well.

First, the criminals penetrate the victim’s network using spear phishing, and then they send a malicious LNK file disguised as a document to an employee of the organization. The file is a shortcut that launches the system’s command line interpreter, cmd.exe, and uses it to execute a malicious script. The victim is shown a meaningless document in PDF, DOC, or DOCX format, which creates the illusion that they opened a normal file.

Interestingly, the malicious code does not contain the C&C server’s address. Instead, the program accesses a post that is published on a public platform, where it reads a string of characters that at first glance seem meaningless. In fact, it is encrypted information designed to activate the next stage of the attack. This type of tactic is known as the dead drop resolver.

During the next stage, the attackers seize control of the computer, place a malicious shortcut in the autorun folder (so that it continues to run on the system), and establishes a connection with the real C&C server (though only after it decodes its address from what appears to be another meaningless string published on a legitimate website).

Essentially, the Powersing implant performs two tasks: It periodically takes screenshots on the victim’s machine and sends them to the C&C server, and it also executes additional Powershell scripts that are downloaded from the C&C server. In other words, its goal is to gain a foothold on the victim’s machine in order to launch additional tools.

Ways of deceiving security mechanisms

At all stages, this malware uses various methods to bypass security technologies, and its choice of method depends on the target. Moreover, if it identifies an antivirus solution on the target computer, the malware can change tactics or even disable itself. Our experts believe that the cybercriminals study the target and fine-tune their scripts for each attack.

But DeathStalker’s most curious technique is the use of public services as a dead-drop-resolver mechanism. In essence, these services allow encrypted information to be stored at a fixed address in the form of publicly accessible posts, comments, user profiles, and content descriptions. These posts can look like the following:

An example of meaningless message

By and large, it’s just a trick: This is how attackers try to hide the start of communication with the C&C server, making protection mechanisms think someone is just accessing public websites. Our experts identified cases where attackers had used Google+, Imgur, Reddit, ShockChan, Tumblr, Twitter, YouTube, and WordPress websites for that purpose. And the above is hardly a comprehensive list. Nevertheless, companies are unlikely to block access to all of these services.

You’ll find more information about a possible link between the DeathStalker group and the Janicab and Evilnum malware, as well as a full technical description of Powersing, including indicators of compromise, in Securelist’s recent post about DeathStalker.

How to protect your company from DeathStalker

A description of the group’s methods and tools provides a good illustration of what threats even a relatively small company can face in the modern world. Of course, the group is hardly an APT actor, and it does not use any particularly complicated tricks. However, its tools are tailored to bypass many security solutions. Our experts recommend the following protective measures:

  • Pay special attention to processes that are launched by scripting language interpreters, including in particular powershell.exe and cscript.exe. If you have no objective need for them to perform business tasks, disable them.
  • Watch out for attacks that are perpetrated by LNK files spread through e-mail messages.
  • Use advanced protective technologies, including EDR-class solutions.

In particular, we have an integrated solution in our arsenal that can take over the functions of both the Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR). You can learn more about it here.