Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Threat Group DeathStalker Uses PowerShell-based Implant Powersing to Hack into Financial Services Firms

    deathstalker use powershellApparently focused on more intelligence gathering than taking direct malicious action against the organizations they compromise, this attack is filled with ingenuity.

    The creativity used by cybercriminals never ceases to amaze me. And, in the case of the DeathStalker group, I’m thoroughly impressed. According to security researchers at Kaspersky in a guest blog post, the attack chain used by DeathStalker seems to be intent on gathering sensitive business information rather than deploy malware, ransomware, or any other malicious action normally seen for financial gain.

    What makes this attack so interesting is the resourcefulness found in the details. According to the article, the Powersing attack includes some of these capabilities:

    • A modified .LNK file is used as the malicious attachment that launched CMD.EXE, then PowerShell
    • An embedded decoy document is presented to the user while it continues its malicious actions to keep them from becoming suspicious
    • It uses drop dead resolvers – URLs that point to posts or content in legitimate sites that contain Base64 encoded strings, such as the following
    sl_decepticons_deathstalker_04
    • The encoded strings reveal the address of the command and control (C2) server
    • The malware sends the C2 server screenshots periodically
    • The malware waits on the C2 server to execute desired PowerShell scripts

    As previously mentioned, these attacks appear to be more hacking-for-hire than traditional cybercriminal attacks where the intent is immediately obvious, such as ransomware attacks.

    What still remains the same is the method by which these attacks transpire. Spear phishing is the initial attack vector, which puts the user within your organization squarely in the middle of the attack; if they don’t engage with the .LNK attachment, the attack is over. Users that undergo Security Awareness Training are able to more effectively identify social engineering tactics inside emails, lowering the likelihood of clicking malicious attachments or links and, thus, stopping attacks in their tracks.

     

    Return To KnowBe4 Security Blog

    Request A Demo: Security Awareness Training

    products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

    Request a Demo!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/kmsat-security-awareness-training-demo

    Topics: Social Engineering, Spear Phishing, Security Awareness Training, Ransomware

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews