Islamabad: Kaspersky’s Global Research and Analysis Team (GReAT) has revealed a widespread cyber campaign in which cybercriminals used Telegram to distribute Trojan spyware. The campaign is believed to target both individuals and businesses in the financial technology (fintech) and trading sectors across multiple regions, including Europe, Asia (including Pakistan), Latin America, and the Middle East. The malware is specifically designed to steal sensitive data, such as login credentials, and gain control over victims’ devices for espionage purposes.Cyber threats to 27.2% of industrial systems in Pakistan: Kaspersky reports
The operation is suspected to be associated with DeathStalker, a notorious hack-for-hire Advanced Persistent Threat (APT) group that offers specialized hacking and financial intelligence services. In the recent wave of attacks detected by Kaspersky, the attackers attempted to infect victims with DarkMe, a remote access Trojan (RAT) that is capable of stealing data and executing remote commands from a server controlled by the attackers.
DeathStalker, previously known as Deceptikons, has been active since at least 2018, with some reports suggesting their activity dates back to 2012. The group’s primary objective appears to be the collection of business, financial, and personal information, which they may use for competitive advantage or sell to clients for business intelligence purposes. Their typical targets include small to medium-sized businesses, financial institutions, fintech companies, law firms, and occasionally government entities. Notably, DeathStalker has never been observed stealing money, which leads Kaspersky to suspect that the group operates as a private intelligence agency rather than a criminal organization.
Unlike traditional phishing tactics, the attackers in this campaign used Telegram channels as a delivery method for the malware. Previous campaigns have seen the use of other messaging platforms like Skype to distribute malicious files, a method that might make victims more likely to trust the source and open the files. Moreover, files delivered through messaging apps may trigger fewer security alerts than those downloaded via web browsers, making this approach more effective for the attackers.
Maher Yamout, Lead Security Researcher at GReAT, explains, “While we often warn against suspicious emails and links, this campaign underscores the importance of exercising caution even when using instant messaging apps like Skype and Telegram.”
An analysis of the infection process reveals that the attackers likely posted malicious archives in Telegram channels. These archives, such as RAR or ZIP files, were not inherently harmful, but contained malicious files with extensions like .LNK, .com, and .cmd. Once victims opened these files, the final-stage malware, DarkMe, was installed on their devices.
To increase their chances of evading detection, the attackers employed operational security measures after the malware was installed. They deleted the files used to deploy DarkMe, and made the implant’s file size larger to confuse analysis. The perpetrators also erased other traces, such as post-exploitation tools, files, and registry entries, in an attempt to avoid detection.
The group also displays a tendency to mislead investigators by imitating other threat actors and inserting false flags to divert attention from their true identity.
Kaspersky’s Recommendations for Personal and Organizational Security:
- For Individuals: Install a reputable security solution and follow its guidance.
- For Organizations: Cybersecurity teams should maintain comprehensive visibility into the threats targeting their industry. Kaspersky’s Threat Intelligence service provides crucial context for incident management and helps identify cyber risks early. InfoSec professionals can improve their skills through Kaspersky’s specialized training, which offers practical, hands-on experience to defend against complex attacks. Training is available in various formats, including self-paced online courses and instructor-led sessions.
- For Businesses: To safeguard against a wide array of threats, Kaspersky recommends using the Kaspersky Next product line, which provides real-time protection, threat visibility, investigation tools, and response capabilities.
By following these steps, individuals and organizations can significantly enhance their defense against sophisticated cyber threats.