Deathstalker is a such a great name, inspiring fear. In fact, Deathstalkers are a type of scorpion. I desperately wanted to find out that they were misnamed and quite pleasant but actually they seem like quite nasty, cannibalistic little characters.
Most of the information we can find on this threat comes from Kaspersky and we haven’t been able to verify this with other sources. However it is sufficiently worrying that we wanted to bring it to your attention.
These hackers are targeting LEGAL and FINANCIAL services firms
They want to steal information to sell, or they will act as mercenaries and attack on demand.
They start by using a phishing attack (targeting the victim with a hand-crafted email that tempts you to open it) to entice the victim to open an apparently innocent file that is actually a hidden powershell script (LNK) . Of course, the victim doesn’t know that – they think its something they need to read – a candidate CV, remittance advice, or a purchase order, or a letter of some sort.
Introducing the Dead-Drop-Resolver
The malicious code points to a public, trusted site. These appear to be legitimate, like pointing to a seemingly innocent YouTube video that has a comment which happens to include some weird sequence of characters that is actually the code that instructs or triggers the malicious code. This code is enough to tell the malware what to do, including launching further malware on the victim’s PC.
So, what can you do to reduce your risk?
- Phishing training
- Security Awareness briefings.
- Use of ATP tools to scan emails
- Advanced endpoint protection
All of these are part of our KARE for Security service, which we have begun to realise is now a minimum level of protection. We are working through offering a SOC and SEIM to complement this service, and we’re just trying to find a solution that meets NZ budgets.
The other action we recommend is ensuring your IT engineer audits user rights and makes sure that no one has any excess access rights – the least access each user has, the least harm that can occur should they become infected.
References
https://www.fintechdirect.net/2020/08/25/deathstalker-cyberspy-group-menaces-fintech-sme
https://cyberdailyreport.com/news/a0f10bb3dedea21466d7f51ea38eb83f