Admin      12/06/2020 10:30      114

The DeathStalker cyberspy group and its tool set

The DeathStalker group targets relatively small companies and their trade secrets.

Our experts have identified a cybercriminal group that specializes in stealing trade secrets. Judging by its targets so far, the group is interested mainly in attacking fintech companies, law firms, and financial advisors, although in at least one case, it also attacked a diplomatic entity. Such a choice of targets may indicate that this group, code-named DeathStalker, is either looking for particular information to sell or offering an “attack on demand” service. In other words, the group is mercenary. The DeathStalker group has been active since 2018 or earlier, and possibly since 2012. Its use of the Powersing implant is what first caught our experts’ attention. More recent operations employ similar methods as well.


The attack.

First, the criminals penetrate the victim’s network using spear phishing, and then they send a malicious LNK file disguised as a document to an employee of the organization. The file is a shortcut that launches the system’s command line interpreter, cmd.exe, and uses it to execute a malicious script. The victim is shown a meaningless document in PDF, DOC, or DOCX format, which creates the illusion that they opened a normal file. Interestingly, the malicious code does not contain the C&C server’s address. Instead, the program accesses a post that is published on a public platform, where it reads a string of characters that at first glance seem meaningless. In fact, it is encrypted information designed to activate the next stage of the attack. This type of tactic is known as the dead drop resolver. During the next stage, the attackers seize control of the computer, place a malicious shortcut in the autorun folder (so that it continues to run on the system), and establishes a connection with the real C&C server (though only after it decodes its address from what appears to be another meaningless string published on a legitimate website).

Ways of deceiving security mechanisms.

At all stages, this malware uses various methods to bypass security technologies, and its choice of method depends on the target. Moreover, if it identifies an antivirus solution on the target computer, the malware can change tactics or even disable itself. Our experts believe that the cybercriminals study the target and fine-tune their scripts for each attack. But DeathStalker’s most curious technique is the use of public services as a dead-drop-resolver mechanism. In essence, these services allow encrypted information to be stored at a fixed address in the form of publicly accessible posts, comments, user profiles, and content descriptions.

How to protect your company from DeathStalker.

How to protect your company from DeathStalker A description of the group’s methods and tools provides a good illustration of what threats even a relatively small company can face in the modern world. Of course, the group is hardly an APT actor, and it does not use any particularly complicated tricks. However, its tools are tailored to bypass many security solutions.

The DeathStalker cyberspy group and its tool set.


The DeathStalker group targets relatively small companies and their trade secrets.