In 2018, researchers at safety agency Kaspersky Lab started monitoring down DeathStalker, their identify for a hackers-for-hire group that used easy however efficient malware to espion regulation and finance companies. Now the researchers have linked the group to 2 different malware components, together with one which dates again to not less than 2012.
DeathStalker made Kaspersky conscious of using malware, which a analysis colleague referred to as “powersing”. The malware obtained its identify for a 900-line PowerShell script that attackers put a number of effort into obfuscating antivirus software program.
Assaults began with spear phishing emails with attachments that seemed to be paperwork, however which – with a substantial amount of dexterity with LNK recordsdata – have been really malicious scripts. To stop targets from changing into suspicious, Powersing displayed a deception doc as quickly as targets clicked on the attachment.
Along with the LNK trick, Powersing additionally tried to modify off AV with the assistance of “Lifeless Drop Resolvers”. In truth, they have been social media posts that the malware covertly used to summarize vital data it wanted, comparable to: B. Which Web servers needs to be accessed and which keys they need to use to decrypt their contents. The tweet under is simply one of many Lifeless Drop Resolvers used.
The primary string contained the AES key to decrypt code which might then discover an integer encoded into the second string. The code would then divide the integer by a relentless managed by the attacker to get the IP deal with on which the contaminated laptop ought to report.
The web by no means forgets
“Through the use of well-known public providers, cybercriminals can incorporate the preliminary backdoor communication into professional community visitors,” Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher and Maher Yamout wrote in a submit revealed Monday. They continued:
It additionally limits what defenders can do to impede their operations, as these platforms typically can’t be blocked on the enterprise degree, and content material will be tough and tedious to take away from them. Nevertheless, this comes at a worth: the Web by no means forgets, and it’s also tough for cyber criminals to take away traces of their operations. Because of the info listed or archived by serps, we estimate that Powersing was first utilized in August 2017.
The researcher who coined the Powersing identify speculated that the malware could also be linked to a different malware household referred to as Janicab, which dates again to not less than 2012. Kaspersky Lab researchers analyzed a Janicab pattern revealed in 2015 by AV supplier F-Safe.
They discovered that Janicab additionally used the identical LNK and spoof paperwork to entry a pc’s command app. Additionally they seen Janicab made connections to an unlisted YouTube video that used the identical integer math to get management server data. Different similarities: Each items of malware often despatched screenshots taken from the desktop, enabled the execution of scripts created by the attacker, and used precisely the identical checklist MAC addresses to detect digital machines that safety researchers may reverse engineer.
Kaspersky Lab researchers then examined a more moderen malware household referred to as Evilnum, which AV supplier Eset described intimately final month and which reported one other LNK-based chain of infections. Kaspersky Lab discovered that it used the identical dead-drop resolver and integer math tips to find the management servers. Different similarities have been variables with comparable or equivalent names that overlapped objectives.
Monday’s submit summarized the similarities as follows:
- All three are distributed through .lnk recordsdata contained in archives supplied by spear phishing
- You may get C&C data from dead-drop resolvers utilizing common expressions and hard-coded sentences
- IP addresses are obtained within the type of integers, that are then divided by a hard-coded fixed earlier than conversion
- Minor code overlaps between the three malware households may point out that they have been developed by the identical crew or inside a gaggle that shares software program growth practices
- The three malware households all have screenshot seize capabilities. Whereas this isn’t unique in and of itself, it’s normally not a part of the event priorities of such teams and will point out a typical design specification
- Whereas we do not have a number of data on Janicab’s victimology, Powersing and Evilnum try for enterprise intelligence, albeit in several industries. Each actions are in step with the speculation that they’re led by a mercenary outfit
The similarities are not at all a smoking weapon, the researchers mentioned, however collectively they provide researchers “medium confidence” that Powersing, Janicab, and Evilnum are operated by the identical group.
“On this weblog submit, we described a contemporary chain of an infection that’s nonetheless actively used and developed by a menace actor immediately,” the researchers conclude. “It does not comprise any modern tips or refined methodology, and sure parts of the chain can really appear unnecessarily tangled. Nevertheless, if the speculation that the identical group is janicab and powersing is appropriate, it means that they’ve been utilizing the identical strategies since 2012. Within the Infosec world, it does not get any extra “tried and examined” than this. “