In 2018, researchers from security firm Kaspersky Lab began tracking “DeathStalker,” their name for a hacker-for-hire group that was employing simple but effective malware to do espionage on law firms and companies in the financial industry. Now, the researchers have linked the group to two other pieces of malware including one that dates back to at least 2012.
DeathStalker came to Kaspersky’s attention for its use of malware that a fellow researcher dubbed “Powersing”. The malware got its name for a 900-line PowerShell script that attackers went to great lengths to obfuscate from antivirus software.
Attacks started with spear-phishing emails with attachments that appeared to be documents but—through a sleight of hand involving LNK files—were actually malicious scripts. To keep targets from getting suspicious, Powersing displayed a decoy document as soon as targets clicked on the attachment.
Besides the LNK trick, Powersing also attempted to throw off AV with its use of “dead drop resolvers.” In effect, these were social media posts that the malware used to covertly piece together crucial information it needed, such as what Internet servers to access and what keys it should use to decrypt its contents. The Tweet below is just one of the dead drop resolvers it used.
The first string contained the AES key to decrypt code that would then find an integer encoded into the second string. The code would then divide the integer by an attacker-controlled constant to arrive at the IP address where the infected computer was to report.
The Internet never forgets
“Relying on well-known public services allows cybercriminals to blend initial backdoor communications into legitimate network traffic,” Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher, and Maher Yamout wrote in a post published on Monday. They continued:
It also limits what defenders can do to hinder their operations, as these platforms can’t generally be blocklisted at the company level, and getting content taken down from them can be a difficult and lengthy process. However, this comes at a price: the internet never forgets, and it’s also difficult for cybercriminals to remove traces of their operations. Thanks to the data indexed or archived by search engines, we estimate that Powersing was first used around August 2017.
The researcher who coined the Powersing name speculated that the malware may be linked to a different malware family known as Janicab, that dates back to at least 2012. The Kaspersky Lab researchers analyzed a Janicab sampled published in 2015 by AV provider F-Secure.
They found that Janicab also used the same LNK and decoy-document sleights of hand to access a computer’s command app. They also noticed that Janicab established connections to an unlisted YouTube video that used the same integer math to obtain control-server information. Other similarities: both pieces of malware periodically sent screenshots captured from desktop, they both enabled the execution of attacker-created scripts, and both used precisely the same list MAC addresses to detect virtual machines that security researchers might use in reverse engineering.
The Kaspersky Lab researchers went on to look at a more recent malware family known as Evilnum, which AV provider Eset detailed last month, which reported yet another LNK-based infection chain. Kaspersky Lab found that it used the same dead drop resolver and the integer math tricks to obtain control-server locations. Other similarities were variables with similar or identical names, overlapping targets.
Monday’s post summarized the similarities this way:
- All three are distributed through LNK files contained in archives delivered through spear-phishing
- They obtain C&C information from dead drop resolvers using regular expressions and hardcoded sentences
- IP addresses are obtained in the form of integers that are then divided by a hardcoded constant before being converted
- Minor code overlaps between the three malware families could indicate that they’ve been developed by the same team, or inside a group that shares software development practices
- The three malware families all have screenshot capture capabilities. While not original in itself, this isn’t usually part of the development priorities of such groups and could be indicative of a shared design specification
- Finally, while we don’t have a lot of information about Janicab’s victimology, Powersing and Evilnum both go after business intelligence, albeit in different industry verticals. Both sets of activities are consistent with the hypothesis that they’re run by a mercenary outfit
The similarities are by no means a smoking gun, the researchers said, but together they give the researchers “medium confidence” that Powersing, Janicab, and Evilnum are operated by the same group.
“In this blog post, we described a modern infection chain that’s still actively used and developed by a threat actor today,” the researchers conclude. “It doesn’t contain any innovative tricks or sophisticated methods, and certain components of the chain may actually appear needlessly convoluted. Yet if the hypothesis is correct that the same group operates Janicab and Powersing, it indicates that they’ve been leveraging the same methodologies since 2012. In the infosec world, it doesn’t get more ‘tried and true’ than this.”