Kasperski researchers have published a detailed report that sheds light on activity of a new threat actor known as DeathStalker, which has been targeting small and midsize businesses all over the world since at least 2012.

The researchers say the group does not appear to be motivated by financial gain, as they don't deploy ransomware or steal payment data, or engage in any type of activity common for cybercriminals. Instead, DeathStalker is focused on sensitive business data, which could mean the threat actor offers hacker-for-hire services, or serves as a sort of "information broker," in financial circles.

Kasperski has been tracking the group since 2018. DeathStalker caught the firm’s attention with a PowerShell-based implant called Powersing, which allows the hackers to gain a foothold on the victim’s system in order to launch additional tools.

The initial stage of attack involves the attackers sending spear phishing email to an employee of a target organization. Once the network is compromised, the hackers send a malicious LNK file disguised as an innocuous document in PDF, DOC, or DOCX format. In reality, this LNK file is a shortcut that launches the system’s command line interpreter, cmd.exe, and uses it to execute a malicious script.

The researchers noted that the malicious script does not contain the attackers’ command and control server’s address, instead, it accesses a post published on a public platform containing seemingly meaningless information, which, in fact is encrypted data designed to trigger the next stage of the attack.

The next step involves the attackers seizing control of the computer and placing a malicious shortcut in the autorun folder. They then establish a connection with the real C&C server. During the attack the malware uses various techniques to bypass implemented security measures. In case it identifies an antivirus solution on the target computer, the malware can change tactics or even disable itself.

Apart the Powersing malware, the Kasperski researchers were able to link DeathStalker’s activity to two more malware families, Evilnum and Janicab. Analysis of code similarities and victimology between the three malware families enabled researchers to link them to each other with medium confidence.

“A description of the group’s methods and tools provides a good illustration of what threats even a relatively small company can face in the modern world. Of course, the group is hardly an APT actor, and it does not use any particularly complicated tricks. However, its tools are tailored to bypass many security solutions,” the researchers said.