The DeathStalker hack-for-hire group has updated its evasive 'VileRat' toolset to attack crypto-currency and foreign currency exchange companies in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the UAE, and Russia this year.
Researchers from Kaspersky have been tracking the notorious APT group’s campaigns since 2018. Although the group mainly targets law firms and organisations in the financial sector, its attacks do not appear to be politically or financially motivated. Instead, the group functions as a mercenary organisation, offering specialised hacking or financial intelligence services.
Two years ago, Kaspersky published an overview of DeathStalker’s profile and malicious activities, including their campaigns called Janicab, Evilnum, PowerSing and PowerPepper.
In mid-2020, researchers uncovered a new and highly evasive infection, based on the VileRAT Python implant. Experts have been closely monitoring the group’s activity since and discovered it aggressively targeted foreign currency and crypto-currency trading companies all over the world in 2022 using this scourge.
How it works
VileRat is usually deployed after an intricate infection chain, which begins with a spearphishing e-mail. Earlier this year bad actors leveraged chatbots that are embedded in targeted companies’ public Web sites to send malicious documents.
The VileRAT campaign stands out due to its tools sophistication and vast malicious infrastructure seen compared to DeathStalker’s previously documented activities.
The numerous obfuscation techniques that are used all along the infection chain, as well as its continuous and persistent activity since 2020, highlight how the group is making an effort to develop and maintain access to its targets.
Kaspersky hypothesises that the possible goals of the attacks could range from due diligence, asset recovery, litigation or arbitration cases support, to working around sanctions. However, it still does not appear to be direct financial gain.
The group shows no interest in any particular country, carrying out indiscriminate advanced attacks using VileRat all around the world. Similarly, identified targets range from recent startups to established industry leaders.
Pierre Delcher, a senior security researcher at Kaspersky’s GReAT, says evading detection has always been a goal for DeathStalker, for as long as the security giant has tracked the threat actor.
“But the VileRAT campaign took this desire to another level. It is undoubtedly the most intricate, obfuscated, and tentatively evasive campaign we have ever identified from this actor,” he adds.
Kaspersky believes DeathStalker’s tactics and practices will work on soft targets who may not be experienced enough to withstand this level of determination, and who may not have made security one of their top priorities, or who frequently interact with third parties that have not done so.
Share