APT Group’s Worldwide Targeting of Small and Medium Businesses Revealed

Written by

A detailed analysis of the APT group DeathStalker has been published today by Kaspersky, highlighting the scale of its operations throughout the world, from Europe to Latin America.

The hacker-for-hire organization is known to have been active since at least 2012, primarily focusing on small and medium firms in the financial sector through commercial cyber-espionage campaigns.

Kaspersky said the research demonstrates that small and medium sized companies, as well as larger businesses and government organizations, must be prepared to deal with the threats posed by APT actors such as DeathStalker.

Through tracking the group from 2018, Kaspersky has been able to link its activities to the three malware families Powersing, Evilnum and Janicub, with “medium confidence.”

DeathStalker’s main method of attack is to deliver archives containing malicious files through tailored spear-phishing emails. A malicious script is executed and further components are downloaded from the internet when a user clicks the shortcut, which gives the attackers control of the victim’s machine.

Kaspersky added that in its Powersing campaigns, DeathStalker has become adept at evading detection by placing dead drop resolvers on legitimate social media, blogging and messaging services. Once infected, victims would reach out to and be redirected by these resolvers, which hides the communication chain.

Powersing-related attacks were detected by Kaspersky in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the UK and the UAE, while Evilnum victims were located in Cyprus, India, Lebanon, Russia and the UAE, demonstrating the extent of DeathStalker’s activities around the world.

Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT, commented: “DeathStalker is a prime example of a threat actor that organizations in the private sector need to defend themselves against. While we often focus on the activities carried out by APT groups, DeathStalker reminds us that organizations that are not traditionally the most security-conscious need to be aware of becoming targets too.

“Furthermore, judging by its continuous activity, we expect that DeathStalker will continue to remain a threat with new tools employed to impact organizations. This actor, in a sense, is proof that small and medium-sized companies need to invest in security and awareness training too.”

Last month, Kaspersky uncovered a new cyber-mercenary group known as the “Deceptikons,” which has been providing hacking services for hire for almost a decade.

What’s hot on Infosecurity Magazine?