 |
| Kaspersky: attack on legal, financial and travel agencies with new malware |
Kaspersky experts were able to identify a new version of the malware (Janicab), which is used by the Advanced Persistent Threats group (DeathStalker) to infiltrate specific organizations through multiple sectors.
The new version has been detected in Europe and the Middle East and was detected using some official web services such as YouTube as part of the infection chain.
For example, a Janicab infection can lead to logistical and legal challenges that enable targeted competitors, and unannounced audits that may reveal bias and abuse of intellectual property, causing harm that differs from that caused by traditional attacks such as digital ransomware or ransomware.
Janicab is a modular malware written in an interpreted language, which means that attackers can easily add functionality, include files, or remove files.
Kaspersky's remote readings show that the latest version (Janicab) has changed significantly in its structural design, and the archived version contains many files written in (Python), which were later used in third-party hacks. Although the plugin is still phishing. Once the victim is tricked into opening the malicious file, a series of malicious files are downloaded to the system one by one.
One of DeathStalker's defining features is that it uses a DDR service or web service to host encrypted channels, which are then decrypted by malicious implants.
Kaspersky was able to identify the use of old YouTube links found during the 2021 vulnerability, according to a new report. Faced with the difficulty of finding unlisted sites, the group was able to operate covertly and frequently using links to its command and control infrastructure.
Affected companies that fall under DeathStalker's traditional domain primarily include legal, financial, and investment firms. But Kaspersky has also recorded activity against travel agencies. Europe and the Middle East are ideal regions for the gang, but activity levels vary between countries in these two regions.
Dr. Amin Hasbini, Head of the Center for Middle East, Turkey and African Studies, Global Research and Analysis Team at Kaspersky, said that it is safe to assume that the main purpose of the DeathStalker gang is to steal confidential information of VIPs and dignitaries. Disputes over financial assets as well as business information and mergers and acquisitions that affect competitiveness, as legal and financial institutions are "the common target of this gang".
"Organizations operating in these regions must prepare for such breaches and update their threat models to ensure data security," Haspeni added.
As the group continues to use malware based on interpreted languages such as Python, VBE, and VBS in recent hacking attempts, affected organizations must rely on application whitelisting and system hardening as effective methods to prevent hacking attempts. Security agencies should also be on the lookout for Internet Explorer browser operations running without a user interface, as Janicab uses the browser in stealth mode to communicate with the command and control infrastructure.