Attackers using Telegram are delivering Trojan spyware, targeting individuals and businesses in the fintech and trading industries in multiple countries across the world including Pakistan, reveals a report of Kaspersky Global Research and Analysis.
The malware is designed to steal sensitive data and take control of users’ devices.
The global malicious campaign is linked to DeathStalker, an infamous hack-for-hire actor offering specialized hacking and financial intelligence services.
In the recent attacks, victims are infected with DarkMe malware – a remote access Trojan, capable of stealing information and executing remote commands.
Deathstalker, previously known as Decepticons, is a group active since 2018, and probably even since 2012. They typically target SMEs, financial, fintech, law firms, and on a few occasions, governmental institutions.
Despite going after these types of targets, DeathStalker has never been seen stealing funds, which is why Kaspersky believes it to be a private intelligence outfit.
“Threat actors relied on Telegram channels to deliver the malware. In earlier campaigns, we also observed this operation using other messaging platforms, such as Skype, as a vector for initial infection. This method may make potential victims more inclined to trust the sender and open the malicious file”, said Lead GReAT Security Researcher, Maher Yamout while advising vigilance against suspicious emails and links.
The analysis reveals the attackers were most likely attaching malicious archives to posts in Telegram channels. The archives themselves were not malicious, but they contained harmful files with extensions. If potential victims launch these files, it leads to the installation of the final-stage malware, DarkMe, in a series of actions.
After installation, the malware removes the files used to deploy the DarkMe implant. To further hinder analysis and try to evade detection, perpetrators increased the implant’s file size and deleted other footprints, such as post-exploitation files, tools, and registry keys, after achieving their goal.
The group also has a tendency to attempt to avoid attribution of their activities by mimicking other APT actors and incorporating false flags.
For personal security, Kaspersky recommends to install a trusted security solution and follow its recommendations. Organizations are advised to provide InfoSec professionals with in-depth visibility into cyber threats targeting organizations in their sector.