“DeathStalker” hackers are (likely) older and more prolific than we thought
In 2018, researchers from security firm Kaspersky Lab began tracking “DeathStalker,” their name for a hacker-for-hire group that was employing simple but effective malware to do espionage on law firms and companies in the financial industry. Now, the researchers have linked the group to two other pieces of malware including one that dates back to at least 2012.
DeathStalker came to Kaspersky’s attention for its use of malware that a fellow researcher dubbed “Powersing”. The malware got its name for a 900-line PowerShell script that attackers went to great lengths to obfuscate from antivirus software.
Attacks started with spear-phishing emails with attachments that appeared to be documents but—through a sleight of hand involving LNK files—were actually malicious scripts. To keep targets from getting suspicious, Powersing displayed a decoy document as soon as targets clicked on the attachment. Besides the LNK trick, Powersing also attempted to throw off AV with its use of “dead drop resolvers.” In effect, these were social media posts that the malware used to covertly piece together crucial information it needed, such as what Internet servers to access and what keys it should use to decrypt its contents. The Tweet below is just one of the dead drop resolvers it used.