Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a widespread malicious campaign leveraging the messaging platform Telegram to deliver Trojan spyware. This operation, aimed at individuals and businesses in the fintech and trading industries, showcases a sophisticated approach to data theft and device espionage, underscoring the growing complexity of cyber threats.
The campaign is attributed to DeathStalker, an infamous hack-for-hire Advanced Persistent Threat (APT) group known for its expertise in cyber espionage and financial intelligence gathering. The group, active since at least 2018, and possibly as far back as 2012, is notorious for targeting small and medium-sized enterprises, law firms, financial institutions, and, occasionally, government entities. Unlike other cybercriminal organizations, DeathStalker appears uninterested in stealing funds, suggesting its role as a private intelligence service catering to clients with highly specific data needs.
In the latest attacks observed by Kaspersky, the group deployed DarkMe, a sophisticated Remote Access Trojan (RAT). DarkMe is designed to steal sensitive information, including credentials, and to execute remote commands via a server under the attackers’ control. Kaspersky’s analysis indicates the malware was distributed through Telegram channels focused on fintech and trading topics, using malicious archives attached to channel posts. These archives, disguised as RAR or ZIP files, contained harmful files with extensions such as .LNK, .COM, and .CMD. When executed by victims, these files initiated a multi-stage process culminating in the installation of the DarkMe malware.
The campaign’s global scale is evident, with victims identified in over 20 countries across Europe, Asia, Latin America, and the Middle East. This wide-reaching operation underscores the increasing sophistication and reach of cyber-mercenaries like DeathStalker.
DeathStalker has consistently demonstrated advanced capabilities in evasion and obfuscation. In this campaign, the group employed tactics to enhance operational security and hinder post-compromise analysis. These included removing files used during malware deployment, enlarging the malware implant’s file size to complicate detection, and deleting post-exploitation tools, registry keys, and other footprints after achieving their objectives. Such methods illustrate the group’s commitment to maintaining secrecy and minimizing the risk of attribution.
Adding to their intrigue, DeathStalker has a history of mimicking other APT actors and planting false flags in their operations. This deliberate strategy further complicates efforts to trace their activities back to their source, solidifying their reputation as a sophisticated and elusive cyber-mercenary group.
To combat this threat, Kaspersky has issued security recommendations for both individuals and organizations. For personal users, they stress the importance of installing trusted security solutions, staying informed about emerging cyberattack techniques, and exercising caution with unsolicited files or links. For organizations, Kaspersky advocates for robust cybersecurity strategies, including providing InfoSec professionals with advanced threat intelligence, investing in cybersecurity training, and implementing comprehensive solutions like Kaspersky’s Next product line, which offers real-time protection and enhanced investigation and response capabilities.
The revelations about DeathStalker’s latest campaign serve as a stark reminder of the evolving nature of cyber threats and the critical need for vigilance in the digital age. As cyber-mercenary groups like DeathStalker continue to innovate and adapt, businesses and individuals must remain proactive in safeguarding their sensitive data and digital assets.