In 2018, researchers from security firm Kaspersky Lab began tracking “DeathStalker,” their name for a hacker-for-hire group that was employing simple but effective malware to do espionage on law firms and companies in the financial industry. Now, the researchers have linked the group to two other pieces of malware including one that dates back to at least 2012.
DeathStalker came to Kasperskys attention for its use of malware that a fellow researcher dubbed “Powersing”. The malware got its name for a 900-line PowerShell script that attackers went to great lengths to obfuscate from antivirus software.
Attacks started with spear-phishing emails with attachments that appeared to be documents but—through a sleight of hand involving LNK files—were actually malicious scripts. To keep targets from getting suspicious, Powersing displayed a decoy document as soon as targets clicked on the attachment.
Besides the LNK trick, Powersing also attempted to throw off AV with its use of “dead drop resolvers.” In effect, these were social media posts that the malware used to covertly piece together crucial information it needed, such as what Internet servers to access and what keys it should use to decrypt its contents. The Tweet below is just one of the dead drop resolvers it used.
The first string contained the AES key to decrypt code that would then find an integer encoded into the second string. The code would then divide the integer by an attacker-controlled constant to arrive at the IP address where the infected computer was to report.
The Internet never forgets
“Relying on well-known public services allows cybercriminals to blend initial backdoor communications into legitimate network traffic,” Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher, and Maher Yamout wrote in a post published on Monday. They continued:
It also limits what defenders can do to hinder their operations, as these platforms cant generally be blocklisted at the company level, and getting content taken down from them can be a difficult and lengthy process. However, this comes at a price: the internet never forgets, and its also difficult for cybercriminals to remove traces of their operations. Thanks to the data indexed or archived by search engines, we estimate that Powersing was first used around August 2017.
The researcher who coined the Powersing name speculated that the malware may be linked to a different malware family known as Janicab, that dates back to at least 2012. The Kaspersky Lab researchers analyzed a Janicab sampled published in 2015 by AV provider F-Secure.
They found that Janicab also used the same LNK and decoy-document sleights of hand to access a computers command app. They also noticed that Janicab established connections to an unlisted YouTube video that used the same integer math to obtain control-server information. Other similarities: both pieces of malware periodically sent screenshots captured from desktop, they both enabled the execution of attacker-created scripts, and both used precisely the same list MAC addresses to detect virtual machines that security researchers might use in reverse engineering.
The Kaspersky Lab researchers went on to look at a more recent malware family known as Evilnum, which AV provider Eset detailed last month, which reported yet another LNK-based infection chain. Kaspersky Lab found that it used the same dead drop resolver and the integer math tricks to obtain control-server locations. Other similarities were variables with similar or identical names, overlapping targets.
Mondays post summarized the similarities this way:
Read More – Source