DeathStalker APT Description
Advanced Persistent Threat (APT) actors often rely on extortion techniques to monetize their campaigns. Modern organizations of this sort often employ ransomware modules or data theft malware to get their victims to pay some money. However, there are some exceptions to this rule, like the DeathStalker APT. This organization's campaigns were analyzed and connected properly only recently, and researchers believe that the group's first attacks might date back to 2012. However, the most notable spike in their activity occurred around 2018, and it piqued the curiosity of security experts because of the attacks the DeathStalker APT members pulled off. Their usual targets were companies involved in the law and financial sectors, and they never employed any sort of extortion technique during their attacks. Instead, their focus was entirely on collecting business information, and they were not interested in payment details or a similar sort of easy-to-exploit information. This leads cybersecurity experts to believe that the DeathStalker APT members may be renting out their services to the highest bidder, hence why they always focus on collecting data from their victims.
Suspected Hackers-For-Hire Group Targets the Financial Sector and Law Firms
The DeathStalker APT hackers usually approach their targets via spear-phishing emails whose recipients are employees in the targeted company or organization. The emails contain a fake shortcut file, which is meant to launch a decoy document while executing a series of 'Command Prompt' actions in the background. The payload deployed during the first stage is Powersing, a malware package whose development and usage are attributed to the DeathStalker APT hackers.
Powersing's functionality is not impressive, but it is enough to meet the needs of the perpetrators. The implant can capture and exfiltrate screenshots, as well as execute custom PowerShell scripts, which can carry out tasks of all sorts.
The DeathStalker APT Hides Encrypted Instructions in Plain Sight
One of the interesting tricks the hackers of DeathStalker employ is the use of 'dead drop resolvers.' The group leverages public forums, message boards, and social media networks to publish fake posts, which contain a simple message accompanied by an encoded string. The payload looks for these encoded strings and decrypts them to gain information about the Command and Control infrastructure it is meant to use. The group has leveraged popular services like WordPress, Twitter, Reddit, Imgur and Google+ to execute this step.
Hacker-for-hire APT actors are not an uncommon occurrence, and there are strong indications showing that the DeathStalker APT may belong to this exact group. Their lack of interest in payment information or monetization schemes shows that they are generating revenue elsewhere, clearly. Since their targets are random, seemingly, it is safe to assume that it is not a state-sponsored threat actor and, instead, their services can be obtained by the highest bidder.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to DeathStalker APT may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.