Kaspersky’s Global Research and Analysis Team (GReAT) has revealed a global malicious campaign where attackers are using Telegram to distribute Trojan spyware, potentially targeting individuals and businesses in the fintech and trading industries.
The malware is designed to steal sensitive data, such as passwords, and gain control of users’ devices for espionage.
This campaign appears to be linked to DeathStalker, a notorious hack-for-hire Advanced Persistent Threat (APT) actor known for its specialised hacking and financial intelligence services.
Recent attacks observed by Kaspersky indicate that threat actors attempted to infect victims with DarkMe malware – a remote access Trojan (RAT) designed to steal information and execute remote commands from a server controlled by the perpetrators.
The threat actors behind this campaign seem to have focused on victims within the trading and fintech sectors, as technical indicators suggest the malware was likely distributed via Telegram channels dedicated to these topics.
The campaign was widespread, with Kaspersky identifying victims across more than 20 countries in Europe, Asia, Latin America, and the Middle East.
An analysis of the infection chain shows that attackers were likely attaching malicious archives to posts in Telegram channels. Although the archives, such as RAR or ZIP files, were not inherently malicious, they contained harmful files with extensions like .LNK, .com, and .cmd.
If victims launched these files, it led to a series of actions culminating in the installation of the final-stage malware, DarkMe.
“Rather than using traditional phishing methods, threat actors relied on Telegram channels to deliver the malware. In earlier campaigns, we observed this operation using other messaging platforms, such as Skype, as an initial infection vector.
This approach may make potential victims more likely to trust the sender and open the malicious file compared to a phishing website. Additionally, downloading files through messaging apps may trigger fewer security warnings than standard internet downloads, which works in favour of the threat actors,” said Maher Yamout, Lead Security Researcher from GReAT.
“While we typically advise vigilance against suspicious emails and links, this campaign highlights the need for caution even with instant messaging apps like Skype and Telegram.”
In addition to using Telegram for malware delivery, the attackers improved their operational security and post-compromise cleanup. After installation, the malware removed the files used to deploy the DarkMe implant.
To further hinder analysis and evade detection, perpetrators increased the implant’s file size and deleted other traces, such as post-exploitation files, tools, and registry keys, after achieving their goal.
DeathStalker, previously known as Deceptikons, is a threat actor group active since at least 2018, and possibly since 2012. Believed to be a cyber-mercenary or hacker-for-hire group, DeathStalker seems to consist of skilled members who develop in-house toolsets and understand the APT ecosystem.
The group’s primary aim is gathering business, financial, and private personal information, possibly for competitive or business intelligence purposes, serving a clientele that includes small and medium-sized businesses, financial firms, fintech companies, law firms, and, occasionally, governmental entities.
Notably, despite its focus on high-value targets, DeathStalker has never been observed stealing funds, leading Kaspersky to conclude it operates as a private intelligence outfit.
The group also has a unique tendency to evade attribution by mimicking other APT actors and incorporating false flags.
For personal security, Kaspersky advises the following measures:
– Install a trusted security solution and follow its recommendations. Most secure solutions will address the majority of problems automatically and alert you if necessary.
– Stay informed about new cyberattack techniques, as this knowledge can help you recognise and avoid them. Security blogs provide valuable insights on emerging threats.
To protect against advanced threats, Kaspersky security experts recommend that organisations:
- Provide InfoSec professionals with comprehensive visibility into cyberthreats targeting your organisation. The latest Kaspersky Threat Intelligence can supply rich, meaningful context across the entire incident management cycle, helping identify cyber risks promptly.
- Invest in additional cybersecurity training for staff. Practically oriented Kaspersky Expert training can enhance InfoSec professionals’ skills, equipping them to defend against sophisticated attacks. Organisations can choose between self-guided online courses or trainer-led live courses, as best suits their needs.
- Use solutions from Kaspersky’s Next product line to protect against a range of threats, providing real-time protection, threat visibility, investigation, and response capabilities through EDR and XDR solutions suitable for any size and industry. These solutions are scalable to meet changing cybersecurity needs.
