Threat Group DeathStalker Uses PowerShell-based Implant Powersing to Hack into Financial Services Firms



deathstalker use powershellApparently focused on more intelligence gathering than taking direct malicious action against the organizations they compromise, this attack is filled with ingenuity.

The creativity used by cybercriminals never ceases to amaze me. And, in the case of the DeathStalker group, I’m thoroughly impressed. According to security researchers at Kaspersky in a guest blog post, the attack chain used by DeathStalker seems to be intent on gathering sensitive business information rather than deploy malware, ransomware, or any other malicious action normally seen for financial gain.

What makes this attack so interesting is the resourcefulness found in the details. According to the article, the Powersing attack includes some of these capabilities:

  • A modified .LNK file is used as the malicious attachment that launched CMD.EXE, then PowerShell
  • An embedded decoy document is presented to the user while it continues its malicious actions to keep them from becoming suspicious
  • It uses drop dead resolvers – URLs that point to posts or content in legitimate sites that contain Base64 encoded strings, such as the following
sl_decepticons_deathstalker_04
  • The encoded strings reveal the address of the command and control (C2) server
  • The malware sends the C2 server screenshots periodically
  • The malware waits on the C2 server to execute desired PowerShell scripts

As previously mentioned, these attacks appear to be more hacking-for-hire than traditional cybercriminal attacks where the intent is immediately obvious, such as ransomware attacks.

What still remains the same is the method by which these attacks transpire. Spear phishing is the initial attack vector, which puts the user within your organization squarely in the middle of the attack; if they don’t engage with the .LNK attachment, the attack is over. Users that undergo Security Awareness Training are able to more effectively identify social engineering tactics inside emails, lowering the likelihood of clicking malicious attachments or links and, thus, stopping attacks in their tracks.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat-request-a-demo

Subscribe To Our Blog


New call-to-action




Get the latest about social engineering

Subscribe to CyberheistNews