In 2018, researchers at security firm Kaspersky Lab began tracking down DeathStalker, their name for a hackers-for-hire group that used simple but effective malware to espion law and finance firms. Now the researchers have linked the group to two other malware elements, including one that dates back to at least 2012.
DeathStalker became aware of Kaspersky’s use of malware that one researcher called "powersing". The malware got its name for a 900-line PowerShell script that attackers put a lot of effort into obfuscating antivirus software.
Attacks started with spear phishing emails with attachments that appeared to be documents, but which – with a great deal of dexterity with LNK files – were actually malicious scripts. To prevent targets from becoming suspicious, Powersing displayed a deception document as soon as targets clicked on the attachment.
In addition to the LNK trick, Powersing also tried to switch off AV with the help of "Dead Drop Resolvers". In fact, they were social media posts that the malware covertly used to summarize important information it needed, such as: B. Which Internet servers should be accessed and which keys they should use to decrypt their contents. The tweet below is just one of the Dead Drop Resolvers used.
The first string contained the AES key to decrypt code, which would then find an integer encoded in the second string. The code would then divide the integer by a constant controlled by the attacker to get the IP address on which the infected computer should report.
The internet never forgets
"By relying on well-known public services, cybercriminals can integrate the initial backdoor communication with legitimate network traffic," wrote Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher and Maher Yamout in a post published on Monday. They continued:
It also limits what defenders can do to impede their operations, as these platforms generally cannot be blocked at the enterprise level and content can be difficult and tedious to remove from them. This comes at a price, however: the Internet never forgets, and it is also difficult for cybercriminals to remove traces of their business. Thanks to the data indexed or archived by search engines, we estimate that Powersing was first used in August 2017.
The researcher who coined the Powersing name speculated that the malware may be linked to another malware family called Janicab, which dates back to at least 2012. Kaspersky Lab researchers analyzed a Janicab sample published in 2015 by AV provider F-Secure.
They found that Janicab also used the same LNK and deception documents to access a computer's command app. They also noticed that Janicab made connections to an unlisted YouTube video that used the same integer math to get control server information. Other similarities: Both pieces of malware regularly sent screenshots that were captured from the desktop. Both enabled attacker-created scripts to run and used the exact same list MAC addresses to discover virtual machines that security researchers could reverse engineer.
Kaspersky Lab researchers then examined a newer malware family called Evilnum, which AV provider Eset described in detail last month and which reported another LNK-based chain of infection. Kaspersky Lab found that it used the same dead-drop resolver and integer math tricks to locate the control servers. Other similarities were variables with similar or identical names that overlapped goals.
Monday's post summarized the similarities as follows:
- All three are distributed via .lnk files contained in archives provided by spear phishing
- You can get C&C information from dead-drop resolvers using regular expressions and hard-coded sentences
- IP addresses are obtained in the form of integers, which are then divided by a hard-coded constant before conversion
- Minor code overlaps between the three malware families could indicate that they were developed by the same team or within a group that shares software development practices
- The three malware families all have screenshot capture capabilities. While this is not original in itself, it is usually not one of the development priorities of such groups and could indicate a common design specification
- While we don't have a lot of information on Janicab's victimology, Powersing and Evilnum strive for business intelligence, albeit in different industries. Both activities are consistent with the hypothesis that they are led by a mercenary outfit
The similarities are by no means a smoking weapon, the researchers said, but together they give researchers "medium confidence" that Powersing, Janicab, and Evilnum are operated by the same group.
"In this blog post, we described a modern chain of infection that is still actively used and developed by a threat actor today," the researchers conclude. “It doesn't contain any innovative tricks or sophisticated methodology, and certain components of the chain can actually seem unnecessarily tangled. However, if the hypothesis that the same group is janicab and powersing is correct, it suggests that they have been using the same methods since 2012. In the Infosec world, it doesn't get any more “proven” than this. "