The DeathStalker hacking group is a recently discovered malware group which has been found to infiltrate small and medium business companies across the world. The research shows that their primary focus is on establishments that operate in the financial sector. It emerged for the first time a few years ago primarily as a hacker-for-fire group and has now grown into a much more experienced and dangerous collective.
Experienced DeathStalker Hacking Grou Launches Attack on Finance Companies Around the World
Computer security researchers indicate that the DeathStalker hacking group is the culprit behind numerous high-impact attack campaigns. They appear to be focused on financial establishments across the world: the known continents which have been impacted so far include Europe, Asia and Latin America. From the available information it is evident that they have used their amassed experience in order to create successful hacking attacks.
What we know is that the group has been contacted by various parties in order to conduct intrusions against target networks for payment. These criminal mercenaries have been active since 2018, possibly even 2012 and they may be linked to other hacking groups. They became known to the security community thanks to the PowerShell-based implant which that have used called Powersing. It is primarily distributed to the targets via phishing SPAM email messages which are prepared and sent in bulk. The victims will receive a LNK file in the contents or attachments. It is disguised as a regular office document however when launched it will run the respective Powersing payload. It will run a very complex several-stage infiltration on the local system.
The analysis of the samples shows that implant will install itself as a persistent virus – -it will run when the computer is powered on and also make it difficult to access recovery options or follow manual user removal guides. It will also include a Trojan horse agent which will establish a strong connection to a hacker-controlled server and allow the hackers to take over control of the machines.
This practically allows the hackers to constantly spy on the victims including the ability to automatically take screenshots of the users activity and sent it to the victims. It also allows for arbitrary code execution — this allows not only various types of system changes, but also the ability to deploy other malware.
During the DeathStalker hacking attack the security analysis reveals that the hackers have utilized several public services as dead drop resolvers — using them as content hosts the hackers can instruct the remote malware to execute commands or provide URLs for the malware payloads. They are encoded in plaintext messages as ordinary communication, but each line actually signals a hidden code which the local viruses can understand. The Powersing PowerShell scripts have been found to use the following ones:
Google+, Imgur, Reddit, ShockChan, Tumblr, Twitter, YouTube and WordPress
The experts believe that this sophisticated hacking tool will continue to developed and used in forthcoming attacks. All of this shows that computer criminals are set on creating complex ways to infect as many targets as possible.