DeathStalker: a detailed look at a mercenary APT group that targets businesses in the Middle East

Kaspersky researchers have published a detailed overview of DeathStalker, a ‘mercenary’ advanced persistent threat (APT) group that has been leveraging efficient espionage attacks on small and medium-sized firms since at least 2013.

DeathStalker is presumably a hacker-for-hire group that targets victims worldwide, further signifying their operations’ size. Despite their global targeting, this group focused on targeting Middle Eastern countries. Kaspersky has seen increased activity in the United Arab Emirates, Lebanon, and Turkey. Experts have also noticed that DeathStalker uses spear-phishing emails to target governments, capital markets, fintech, law firms, and SMBs.

DeathStalker is a unique threat group that mainly focuses on cyber-espionage against law firms and organizations in the financial sector. The threat actor is highly adaptive and notable for using an iterative toolset, making them able to execute effective campaigns. Based on Kaspersky’s analysis, the group potentially started in 2013 and is still active with evolving techniques.

Maher Yamout, Senior Security Researcher at Kaspersky

“DeathStalker is a prime example of a threat actor that organizations in the private sector need to defend themselves against. It will continue to impact organizations in the Middle East and even those that are not traditionally the most security-conscious need to become targets. Its persona-based tactic is what sets it apart from the rest of the APT groups, and at Kaspersky, we urge businesses in the Middle East to stay vigilant of this threat.” Said Maher Yamout, Senior Security Researcher at Kaspersky.

Recent research enabled Kaspersky to link DeathStalker’s activity to three malware families, Powering, Evilnum, and Janicab, which demonstrates the breadth of the groups’ activity carried out since at least 2013. While PoweringKaspersky has traced Powersing malware family since 2018, the other two malware families have been reported on by other cybersecurity vendors. Analysis of code similarities and victimology between the three malware families enabled the researchers to link them with medium confidence.

Our experts at Kaspersky have noticed that these cyber-mercenaries use interactive social engineering to target users. The attacker doesn’t only send a phishing email with the hopes that the target will open it but keeps sending interactive emails with a pretext or a persona. It is a tactic used to gain victims’ attention and lure them to open malicious files.

There is no way of guaranteeing who is behind the keyboard sending malicious emails but a digital signature could solve this issue.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

Educate employees about phishing attacks: APTs start with a fraudulent email that gains access to your system. Deploy a training program that teaches employees what to look for, what to do and who to notify if they spot something suspicious.
Ensure that the latest updates are installed: APT hackers look to exploit any weakness in a system, which is why it is important to run updates on all cybersecurity programs.
Secure sensitive data: Take the additional safety measures to save your most sensitive information.
Use application whitelisting tools to prevent unauthorized applications from running.
Kaspersky recommends that future awareness training and security product assessments include infection chains based on LNK (shortcut) files.