APT-style mercenary groups challenge the threat models of many organizations



Not everyone is a target for cyberespionage. That’s the premise on which many businesses built their threat models and cyber-defense capabilities. Unfortunately, that’s rapidly changing. Hacker-for-hire groups that sell their services to private entities are popping up on the radar of security companies and creating a blindspot for many organizations that are not prepared to deal with advanced persistent threats (APTs).

Last week, security firms Kaspersky Lab and Bitdefender independently released reports about two such mercenary groups. One was seen targeting law firms and companies in the financial sector, while the other targets architectural and video production companies. These are just the latest examples in a series of similar reports over the past couple of years.

“We’ve recently seen a trend in which the tactics and techniques used in the past by state-sponsored APT groups have now been used in attacks on smaller companies,” Liviu Arsene, global cybersecurity researcher with Bitdefender, tells CSO. “This potentially points to a new APT-as-a-service model that sophisticated threat actor groups could be offering. Just as the transition to malware-as-a-service marked a new chapter in the cybercrime industry, APT-as-a-service where mercenary hackers that may have sharpened their skills either in state-sponsored attacks or as part of other larger APT groups, could become the new norm.”

DeathStalker and common scripting languages

Kaspersky’s report focuses on the recent activities of a mercenary group the company dubbed DeathStalker, whose tools bear some close similarities to other malware implants going as far back as 2012. The group was recently seen targeting entities that work in or with the financial sector including law offices, wealth consultancy firms and financial technology companies. Victims were identified in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.

DeathStalker’s current implant is called Powersing and is written in PowerShell, an often-abused scripting language that’s included with Windows and is used to automate system administration tasks. The malware is delivered via spear-phishing emails with attached archives that contain a malicious LNK file. The Powersing payload is notable for reaching out to various “dead drops” on social media websites and getting the URL of the command-and-control (C&C) server from comments with encoded text left by the authors. Sites used for the dead drops include Google+, Imgur, Reddit, Tumblr, Twitter, YouTube and WordPress.

Powersing periodically contacts the C&C server for commands and has two functionalities: capture periodic screenshots from the victim’s machine and send them to the C&C server, and execute arbitrary Powershell scripts provided by the C&C. These two simple features give attackers a lot of power. One allows them to perform reconnaissance on the victim and the second to extend the compromise through manual hacking.

Copyright © 2020 IDG Communications, Inc.


Source link