It sounds like a science fiction movie. The DeathStalker hack-for-hire group has updated an evasive toolkit called “VileRat” to attack cryptocurrency and foreign currency exchange companies in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, and Malta, the United Arab Emirates and Russia.
Kaspersky researchers have been tracking attack campaigns from DeathStalker, an infamous hack-for-hire actor, since 2018. It mainly targets law firms and organisations in the financial sector. The threat actor stands out since its attacks do not seem to be politically or financially motivated. Kaspersky researchers believe DeathStalker acts as a mercenary organisation, offering specialised hacking or financial intelligence services.
In 2020, Kaspersky researchers published an overview of DeathStalker’s profile and malicious activities, including their Janicab, Evilnum, PowerSing and PowerPepper campaigns. The company’s experts discovered a new and highly evasive infection, based on the “VileRAT” Python implant, in mid-2020. Experts have been closely monitoring actors’ activity since and discovered it aggressively targeted foreign currency (FOREX) and cryptocurrency trading companies all over the world in 2022.
VileRat is typically deployed after an intricate infection chain, which starts from spearphishing emails. This European summer, the attackers also leveraged chatbots that are embedded in targeted companies’ public websites to send malicious documents. The DOCX documents are frequently named using the “compliance” or “complaint” keywords (as well as the name of the targeted company), suggesting the attacker is answering an identification request or reporting an issue, to veil the attack.
The VileRAT campaign stands out due to its tools sophistication and vast malicious infrastructure (compared to the previously documented DeathStalker activities), the numerous obfuscation techniques that are used all along the infection, as well as its continuous and persistent activity since 2020. The VileRAT campaign demonstrates that DeathStalker is making a tremendous effort to develop and maintain access to its targets. The possible goal of the attacks range from due diligence, asset recovery, litigation or arbitration cases support, to working around sanctions, but it still does not appear to be direct financial gain.
VileRat does not show any interest in targeting particular countries, instead, Kaspersky researchers report indiscriminate advanced attacks using VileRat all around the globe, with compromised organisations in Bulgaria, Cyprus, Germany, the Grenadines, Kuwait, Malta, the United Arab Emirates and Russia. It should be noted that the identified organisations range from recent startups to established industry leaders.
‘Escaping detection has always been a goal for DeathStalker, for as long as we’ve tracked the threat actor. But the VileRAT campaign took this desire to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from this actor. We believe DeathStalker’s tactics and practices are sufficient (and proven to be) to act on soft targets who may not be experienced enough to withstand such a level of determination and may not have made security one of their organisation’s top priorities, or who frequently interact with third parties that have not done so,’ says Pierre Delcher, a senior security researcher at Kaspersky’s GReAT.
Read more about VileRat and its evasion techniques at Securelist.
To protect your organisations from attacks like VileRat, Kaspersky experts recommend:
- Providing your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over the past 20 years. To help businesses enable effective defences in these turbulent times, Kaspersky announced free access to independent, continuously updated and globally sourced information on ongoing cyberattacks and threats. Request access online.
- Upskilling your cybersecurity team to enable them to tackle the latest targeted threats with Kaspersky online training, developed by GReAT experts.
- Using an enterprise-grade EDR solution, such as Kaspersky EDR Expert. It is essential for detecting threats among a sea of scattered alerts – thanks to its automatic merging of alerts into incidents – as well as to analyse and respond to an incident in the most effective way.
- In addition to adopting essential endpoint protection, implementing a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as the Kaspersky Anti Targeted Attack Platform.
- Introducing security awareness training and teaching practical skills to your team – using tools such as the Kaspersky Automated Security Awareness Platform, as many targeted attacks start with social engineering techniques, such as phishing.