Is “Deathstalker” coming for you?

Cyber-Crime is big business.  The criminals are organised and sophisticated.  Imagine if they put their ingenuity to things that are good?  But alas, that’s not reality.  Instead we have to brace ourselves to deal with another wave of crime.

Deathstalker is a such a great name, inspiring fear.  In fact, Deathstalkers are a type of scorpion.  I desperately wanted to find out that they were misnamed and quite pleasant but actually they seem quite nasty cannibalistic little  characters.

Most of the information we can find ion this threat comes from Kaspersky and we haven’t been able to verify this with other sources.  However it is sufficiently worrying that we wanted to bring it to your attention.

These hackers are targeting LEGAL and FINANCIAL services firms


They want to steal information to sell, or they will act as mercenaries and attack on demand

They start by using a phishing attack (targeting the victim with a hand-crafted email that tempts you to open it)  to entice the victim to open an apparently innocent file that is actually a hidden powershell script (LNK) . Of course, the victim doesn’t know that – they think its something they need to read – a candidate CV, remittance advice, or a purchase order, or a letter of some sort.

Introducing the Dead-Drop-Resolver

The malicious code points to a public, trusted site.  These appear to be legitimate, say pointing to a seemingly innocent YouTube video that has a comment which happens to include some weird sequence of characters that is actually the code that instructs or triggers the malicious code.    This code is enough to tell the malware what to do, including launching further malware on the victim’s PC.

So, what can you do to reduce your risk? 

  • Phishing training
  • Security Awareness briefings.
  • Use of ATP tools to scan emails
  • Advanced endpoint protection

All of these are part of our KARE for Security service, which we have begun to realise is now a minimum level of protection.  We are working through offering a SOC and SEIM to complement this service, and we’re just trying to find a solution that meets NZ budgets.

The other action we recommend is ensuring your IT engineer audits user rights and makes sure that no one has any excess access rights – the least access each user has, the least harm that can occur should they become infected.

References

https://www.fintechdirect.net/2020/08/25/deathstalker-cyberspy-group-menaces-fintech-sme

https://cyberdailyreport.com/news/a0f10bb3dedea21466d7f51ea38eb83f