The DeathStalker advanced persistent threat (APT) group is using spear-phishing emails to target law firms and companies in the financial sector, according to Russian cybersecurity company Kaspersky. It also may be leveraging these cyberattacks to gather sensitive business data to offer hacking-for-hire services.
Recent DeathStalker attacks involved the use of spear-phishing emails with attached archives containing a malicious LNK file, Kaspersky indicated. They enabled cybercriminals to execute PowerShell scripts and take control of victims' machines.
During DeathStalker attacks, cybercriminals capture periodic screenshots from a victim's machine, Kaspersky noted. They also run tests to identify security tools on a victim's machine and update PowerShell scripts to avoid detection.
In addition, the DeathStalker toolchain uses Reddit, Twitter, YouTube and other public services as "dead drop resolvers," Kaspersky stated. These services allow cybercriminals to store data at a fixed URL via public posts, comments, user profiles and content descriptions.
DeathStalker has been linked to the Janicab and Evilnum malware families, Kaspersky pointed out. Furthermore, DeathStalker attacks have been ongoing since 2018, and some of these attacks may date back to 2012.
How to Guard Against DeathStalker Attacks
Kaspersky recommends making Windows interpreters for scripting languages such as powershell.exe and cscript.exe unavailable to guard against DeathStalker attacks. It also recommends cybersecurity awareness training and security product assessments to ensure that law firms, financial services companies and other organizations can protect their systems against these attacks.
MSSPs can help organizations identify ways to combat DeathStalker and other cyberattacks as well. They can deliver managed security services designed to combat current and emerging cyber threats, as well as offer tips and recommendations to help organizations improve their security posture.