Apparently focused on more intelligence gathering than taking direct malicious action against the organizations they compromise, this attack is filled with ingenuity.
The creativity used by cybercriminals never ceases to amaze me. And, in the case of the DeathStalker group, I’m thoroughly impressed. According to security researchers at Kaspersky in a guest blog post, the attack chain used by DeathStalker seems to be intent on gathering sensitive business information rather than deploy malware, ransomware, or any other malicious action normally seen for financial gain.
What makes this attack so interesting is the resourcefulness found in the details. According to the article, the Powersing attack includes some of these capabilities:
- A modified .LNK file is used as the malicious attachment that launched CMD.EXE, then PowerShell
- An embedded decoy document is presented to the user while it continues its malicious actions to keep them from becoming suspicious
- It uses drop dead resolvers – URLs that point to posts or content in legitimate sites that contain Base64 encoded strings, such as the following
- The encoded strings reveal the address of the command and control (C2) server
- The malware sends the C2 server screenshots periodically
- The malware waits on the C2 server to execute desired PowerShell scripts
As previously mentioned, these attacks appear to be more hacking-for-hire than traditional cybercriminal attacks where the intent is immediately obvious, such as ransomware attacks.
What still remains the same is the method by which these attacks transpire. Spear phishing is the initial attack vector, which puts the user within your organization squarely in the middle of the attack; if they don’t engage with the .LNK attachment, the attack is over. Users that undergo Security Awareness Training are able to more effectively identify social engineering tactics inside emails, lowering the likelihood of clicking malicious attachments or links and, thus, stopping attacks in their tracks.