Kaspersky experts have identified new functionalities within the Janicab malware, which is being used by a mercenary APT group DeathStalker to infiltrate specific organisations within a number of industries.
The new variant has been spotted across European and Middle Eastern territories and is leveraging legitimate external web services such as YouTube as part of the infection chain.
Unlike more traditional damage resulting from cyberattacks such as digital blackmail or ransomware, the Janicab infections can lead to targeted logistical and legal challenges, rivals advantage, sudden audits with prejudice and misuse of intellectual property to name a few.
Janicab can be considered a modular, interpreted-language malware, which means that the threat actor is able to add/remove functions or embedded files with very little effort. Based on Kaspersky telemetry – even though the delivery mechanism remains spear-phishing – newer Janicab variants have changed significantly in structure, with the presence of archives containing several Python files and other artifacts used later in the intrusion lifecycle. Once a victim is tricked into opening the malicious file, a series of chained malware files are subsequently dropped.
One of the distinctive features of DeathStalker is its use of DDRs/web services to host an encoded string that is later deciphered by the malware implant. According to a new report, Kaspersky identified the use of old YouTube links that were present in 2021 intrusions. With unlisted web links being unintuitive and harder to find, the threat actor is able to operate undetected and reuse C2 infrastructure.
The affected entities that fall within the traditional sphere of DeathStalker are primarily legal and financial investment management (FSI) institutions. However, Kaspersky has also recorded threat activity affecting travel agencies. The European region, together with the Middle East, were also seen as a typical workspace for DeathStalker with varying intensity between the countries.
“As legal and financial institutions are a common target for this threat actor, we can safely assume that DeathStalker’s main goals rely on the looting of confidential information regarding legal disputes involving VIPs and large financial assets, competitive business intelligence and insights into mergers and acquisitions”, commented Dr. Amin Hasbini, Head of Research Center, META, Global Research and Analysis Team, Kaspersky. “Organisations operating in these industries should proactively prepare for such intrusions and/or updating their threat model to ensure data remains safe,” he added.
Since the threat actor continues to use interpreted-language-based malware such as Python, VBE and VBS across both historical and recent intrusions, affected institutions should rely on application whitelisting and OS hardening as effective techniques to block any intrusion attempts. Defenders should also look for Internet Explorer processes running without GUI since Janicab is using Internet Explorer in hidden mode to communicate with the C2 infrastructure.
More information about the event logs technique can be found at Securelist.com.