- 295/2022
- High
DeathStalker targets Financial and legal entities in the Middle East with a new Janicab malware variant. Janicab was introduced as malware that runs on macOS and Windows operating systems.
DeathStalker has leveraged several malware strains and delivery chains over the years, from the Python and Visual Basic-based Janicab to the PowerShell-based Powersing and the JavaScript-based Evilnum.
The actor consistently used “dead-drop resolvers” (DDRs), which are obfuscated content hosted on major public web services like YouTube, Google+, WordPress, Twitter, and Reddit. Once decoded by malware, this content reveals a commandand-control (C2) server address.
Initial foothold:
• The delivery mechanism uses spear-phishing.
• The initial infection method uses an LNK-based dropper inside a ZIP archive.
The execution flow:
• Once a victim opens the malicious LNK file, chained malware files are dropped.
• The LNK file has an embedded “Command Line Arguments” field that aims to extract and execute an encoded VBScript loader that drops and executes another embedded and encoded VBScript. Then the encoded VBScript will extract a CAB archive containing additional resources and Python libraries.
• The final stage will deploy a new LNK file in the Startup directory to initiate persistence and communicate with the DDR web services to gather the actual C2 IP address.
Janicab malware evolution:
• Additional functions were added throughout the malware development cycle to evade security controls.
• Janicab VBS implants had several files embedded in byte arrays, usually registry, VBE, PE EXE, or DLL files.
Infrastructure:
• Deathstalker uses DDRs/web services to host an encoded string later deciphered by the malware implant.
• YouTube is being used as a dead-drop resolver (DDRs) despite other web service links in the malware settings, such as links to Google+, allowing the threat actor to reuse C2 infrastructure.
• YouTube links are used to convert the decimal number to backend the C2 IP address.
• The threat actor was hosting and calling an ICMP shell executable from victim machines using an ICMP shell tool named icmpxa.exe based on an old GitHub project.
• The malware uses VBS functions to connect to the C2 server over HTTP GET/POST requests to specific PHP pages.
Indicators of Compromise
Indicators of compromise will be shared with EG-FinCIRT’s Constituents
Mitigations
• Enable machine learning, active adversary mitigations, and behavioral detection in endpoint security.
• Develop and implement a patching policy and baseline configuration standards for the operating system.
• Conduct cybersecurity awareness training for End- users.
• Search for existing signs of the indicated IoCs in your environment.
• Block all URL and IP-based IoCs at the organization’s security devices.
• Ensure anti-virus software and associated files are up to date.