Introduction

Kaspersky's Global Research team has unveiled a troubling cybercrime spree that is utilizing the popular messaging platform Telegram to deploy Trojan spyware against individuals and businesses involved in the fintech and trading sectors.

Nature of the Malware

This malicious malware is built to harvest sensitive information, such as passwords, and to commandeer user devices for espionage. Researchers have traced the nefarious activities back to the notorious hack-for-hire group DeathStalker, an Advanced Persistent Threat (APT) actor known for providing specialized hacking services and financial intelligence to its clientele.

Recent Attacks

The latest wave of attacks highlighted by Kaspersky involved the recruitment of DarkMe malware, a sophisticated remote access Trojan (RAT) engineered to pilfer confidential data and execute commands remotely from servers under the control of the attackers. Recent technical evaluations indicate that victims were specifically targeted through Telegram channels that cater to trading and fintech discussions. Victims have been identified in over 20 countries spanning Europe, Asia, Latin America, and the Middle East, telling us this threat knows no borders.

Infection Patterns

An in-depth analysis of the infection patterns revealed that the attackers likely included malicious files within innocuous-looking compressed archives shared in the targeted Telegram channels. While these archives—such as RAR or ZIP files—appear harmless, they contained dangerous payloads with extensions like .LNK, .com, and .cmd. Once unsuspecting users open these files, it triggers a chain reaction leading to the installation of the DarkMe malware.

Evolving Tactics

"Rather than relying on conventional phishing tactics, these threat actors have turned to Telegram to disseminate their malware. Earlier operations have also made use of platforms like Skype for infection distribution. This choice of platform may instill a sense of trust in potential victims, making them more inclined to interact with the perpetrator and execute the malicious file, as messaging applications often raise fewer red flags compared to phishing websites," cautioned Maher Yamout, Lead Security Researcher at Kaspersky's Global Research and Analysis Team (GReAT).

Operational Security Measures

While the usual advice emphasizes caution around suspicious emails and links, this emerging trend underscores the need for vigilance even when engaging with instant messaging services like Telegram and Skype.

Post-Compromise Cleaning

In addition to cunning delivery methods, these attackers have sophisticated their approach by enhancing operational security measures and executing thorough post-compromise cleanups. After the DarkMe implant is installed, they systematically erase deployment files, adjusting the malware’s file size to further obscure detection. These criminals not only remove other traces such as post-exploitation tools and registry keys but also proceed meticulously to secure their ongoing operations.

DeathStalker's Background

DeathStalker has remained a significant player in the cybercrime landscape since its inception, with activities documented as far back as 2012. Often described as a cyber-mercenary organization, this group boasts skilled members who develop proprietary tools and possess a profound understanding of the APT ecosystem. Their primary mission? To gather sensitive business, financial, and personal data, often targeting small and medium-sized enterprises along with legal firms and, occasionally, government entities. Notably, they have shown a refusal to direct their efforts toward stealing money, suggesting a focus on private intelligence gathering rather than traditional cybercrime.

Obscuring Identity

Interestingly, DeathStalker has also adopted strategies to obscure their identity by mimicking the tactics of other APT actors and incorporating false flags to further mislead investigators.

Final Thoughts

As the threat landscape continues to evolve, businesses must bolster their defenses and remain alert to the ever-changing tactics employed by these cyber adversaries.