To attack companies in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates and Russia in 2022
Kaspersky researchers tracks attack campaigns from the DeathStalker hack-for-hire group since 2018. Recent analysis shows that the threat actor updated its evasive “VileRat” toolset to attack cryptocurrency and foreign currency exchange companies in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates and Russia in 2022.
DeathStalker is an infamous hack-for-hire APT actor that Kaspersky monitors since 2018, and which mainly targets law firms and organizations in the financial sector. The threat actor stands out since its attacks do not seem to be politically or financially motivated. Kaspersky researchers believe DeathStalker acts as a mercenary organization, offering specialized hacking or financial intelligence services.
In 2020, Kaspersky researchers published an overview of DeathStalker’s profile and malicious activities, including their Janicab, Evilnum, PowerSing and PowerPepper campaigns. Company’s experts discovered a new and highly evasive infection, based on the “VileRAT” Python implant, in mid-2020. Experts have been closely monitoring actor’s activity since and discovered it aggressively targeted foreign currency (FOREX) and cryptocurrency trading companies all over the world in 2022.
VileRat is typically deployed after an intricate infection chain, which starts from spearphishing emails. This summer, the attackers also leveraged chatbots that are embedded in targeted companies’ public websites to send malicious documents. The DOCX documents are frequently named using the “compliance” or “complaint” keywords (as well as the name of the targeted company), suggesting the attacker is answering an identification request or reporting an issue, in order to veil the attack.
Malicious DOCX social engineering message
The VileRAT campaign stands out due to its tools sophistication and vast malicious infrastructure (compared to the previously documented DeathStalker activities), the numerous obfuscation techniques that are used all along the infection, as well as its continuous and persistent activity since 2020. The VileRAT campaign demonstrates that DeathStalker is making a tremendous effort to develop and maintain access to its targets. The possible goal of the attacks range from due diligence, asset recovery, litigation or arbitration cases support, to working around sanctions, but it still does not appear to be direct financial gain.
VileRat does not show any interest in targeting particular countries, instead Kaspersky researchers report indiscriminate advanced attacks using VileRat all around the globe , with compromised organizations in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates and Russia. It should be noted that the identified organizations range from recent startups to established industry leaders.
‘Escaping detection has always been a goal for DeathStalker, for as long as we’ve tracked the threat actor. But the VileRAT campaign took this desire to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from this actor. We believe DeathStalker’s tactics and practices are sufficient (and proven to be) to act on soft targets who may not be experienced enough to withstand such a level of determination, and may not have made security one of their organization’s top priorities, or who frequently interact with third parties that have not done so,’ comments Pierre Delcher, Senior Security Researcher at Kaspersky’s GReAT.
Read more about VileRat and its evasion techniques at Securelist.
To protect your organizations from attacks like VileRat, Kaspersky experts recommend:
-Ends-
About Kaspersky
Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
© Press Release 2022
Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.
The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.
To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.
