Crypto and foreign exchanges targeted by the DeathStalker gang

August 17, 2022
Cryptocurrency Foreign Exchanges Forex DeathStalker Threat Gang

The DeathStalker threat group is still rampaging in the cyber threat landscape, using the VileRAT malware being spread against foreign and cryptocurrency exchanges worldwide. The first campaign of DeathStalker was detected in September 2020 until the most recent one in June 2022, with attacks mostly utilising the VileRat malware.

From an advisory released for the threat group, researchers underlined that the VileRAT malware had been upgraded and used against similar targets since 2020. The recently identified attacks of the threat group had also concerned researchers since they noticed how the gang had intensified their efforts in striking their targets with the VileRAT.

 

More samples of files infected with VileRAT were identified upon assessing the tactics performed against the targeted crypto and foreign exchanges.

 

One of the campaigns observed was in 2020, when the DeathStalker group launched phishing tactics toward foreign exchange firms to spread the VileRAT malware. Hosted via Google Drive, the initial documents contained in it were harmless, although inside it was a link to another macro-enabled file that could initiate the infection.

Come 2021, experts noticed a slight change in this attack tactic, although it still relied on malware-infected Word files sent to the targets, such as crypto and foreign exchanges, through phishing emails.

This year was different according to the analysts, as they spotted some campaigns still utilising VileRAT despite shifting tactics. In these new campaigns, the threat group leveraged chatbots embedded in the public websites of the targeted firms, whereby they sent the malicious documents through them.

This initial infection would be followed by delivering an obfuscated JavaScript file to the victims’ compromised machines that would schedule the launch of VileRAT’s installer called VileLoader.

The VileRAT malware is a Python implant that can execute arbitrary RCE (Remote Code Execution), keylogging, self-updating through the threat operators’ C2 server, and other destructive capabilities. It could also be noted that the VileRAT is the top malware strain to be the most intricate, elusive, and obfuscated among other strains used by DeathStalker.

Despite these outstanding abilities, experts still believe that many advanced anti-virus tools could still effectively detect the malware’s presence in a machine and be able to stop it from infecting.

About the author