Skip to main content

“DeathStalker” hackers are (likely) older and more prolific than we thought

posted onAugust 25, 2020
by l33tdawg
Arstechnica
Credit: Arstechnica

In 2018, researchers from security firm Kaspersky Lab began tracking “DeathStalker,” their name for a hacker-for-hire group that was employing simple but effective malware to do espionage on law firms and companies in the financial industry. Now, the researchers have linked the group to two other pieces of malware including one that dates back to at least 2012.

DeathStalker came to Kaspersky’s attention for its use of malware that a fellow researcher dubbed “Powersing”. The malware got its name for a 900-line PowerShell script that attackers went to great lengths to obfuscate from antivirus software.

Attacks started with spear-phishing emails with attachments that appeared to be documents but—through a sleight of hand involving LNK files—were actually malicious scripts. To keep targets from getting suspicious, Powersing displayed a decoy document as soon as targets clicked on the attachment. Besides the LNK trick, Powersing also attempted to throw off AV with its use of “dead drop resolvers.” In effect, these were social media posts that the malware used to covertly piece together crucial information it needed, such as what Internet servers to access and what keys it should use to decrypt its contents. The Tweet below is just one of the dead drop resolvers it used.

Source

Tags

Security

You May Also Like

Recent News

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th

Thursday, June 6th