DeathStalker mercenaries attacking cryptocurrency

News Desk -

Share

Since 2018, Kaspersky researchers have been tracking attack campaigns by the DeathStalker hack-for-hire group. 

According to recent analysis, the threat actor updated its evasive “VileRat” toolset in 2022 to attack cryptocurrency and foreign currency exchange companies in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates, and Russia.

“Escaping detection has always been a goal for DeathStalker, for as long as we’ve tracked the threat actor. But the VileRAT campaign took this desire to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from this actor. We believe DeathStalker’s tactics and practices are sufficient (and proven to be) to act on soft targets who may not be experienced enough to withstand such a level of determination, and may not have made security one of their organization’s top priorities, or who frequently interact with third parties that have not done so,” comments Pierre Delcher, Senior Security Researcher at Kaspersky’s GReAT.

DeathStalker is a well-known hack-for-hire APT actor that Kaspersky has been monitoring since 2018, primarily targeting law firms and financial institutions. The threat actor stands out because its attacks do not appear to be motivated by politics or money. DeathStalker, according to Kaspersky researchers, operates as a mercenary organization, providing specialized hacking or financial intelligence services.

DeathStalker’s profile and malicious activities, including their Janicab, Evilnum, PowerSing, and PowerPepper campaigns, were reviewed by Kaspersky researchers in 2020. In mid-2020, company experts discovered a new and highly evasive infection based on the “VileRAT” Python implant. Since then, experts have been closely monitoring the actor’s activity and have discovered that in 2022, it aggressively targeted foreign currency (FOREX) and cryptocurrency trading companies all over the world.

VileRat is typically used after a lengthy infection chain that begins with spearphishing emails. This summer, the attackers also used chatbots embedded in the public websites of targeted companies to send malicious documents. To conceal the attack, the DOCX documents are frequently named with the keywords “compliance” or “complaint” (along with the name of the targeted company), implying the attacker is responding to an identification request or reporting an issue.

Malicious DOCX social engineering message

The VileRAT campaign is notable for the sophistication of its tools and vast malicious infrastructure (in comparison to previously documented DeathStalker activities), the numerous obfuscation techniques used throughout the infection, and its continuous and persistent activity since 2020. The VileRAT campaign demonstrates how DeathStalker works hard to develop and maintain access to its targets. The possible goals of the attacks range from due diligence to asset recovery, litigation or arbitration case support, and working around sanctions, but there appears to be no direct financial gain.

VileRat does not show any interest in targeting particular countries, instead Kaspersky researchers report indiscriminate advanced attacks using VileRat all around the globe , with compromised organizations in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates and Russia. It should be noted that the identified organizations range from recent startups to established industry leaders.