Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.
Home Finance DeathStalker targeting British legal, financial and travel entities with new Janicab variant, Kaspersky intelligence found

DeathStalker targeting British legal, financial and travel entities with new Janicab variant, Kaspersky intelligence found

by uma


LONDON, 7th December 2022 – Kaspersky experts have identified new functionalities within the Janicab malware, which is being used by a mercenary APT group DeathStalker to infiltrate specific organisations within a number of industries.

The new variant has been spotted across European and Middle Eastern territories including the United Kingdom, and is leveraging legitimate external web services such as YouTube as part of the infection chain.

Unlike more traditional damage resulting from cyberattacks such as digital blackmail or ransomware, the Janicab infections can lead to targeted logistical and legal challenges, rivals advantage, sudden audits with prejudice and misuse of intellectual property to name a few.

Janicab can be considered a modular, interpreted-language malware, which means that the threat actor is able to add/remove functions or embedded files with very little effort. Based on Kaspersky telemetry – even though the delivery mechanism remains spear-phishing – newer Janicab variants have changed significantly in structure, with the presence of archives containing several Python files and other artifacts used later in the intrusion lifecycle. Once a victim is tricked into opening the malicious file, a series of chained malware files are subsequently dropped.

One of the distinctive features of DeathStalker is its use of DDRs/web services to host an encoded string that is later deciphered by the malware implant. According to a new report, Kaspersky identified the use of old YouTube links that were present in 2021 intrusions. With unlisted web links being unintuitive and harder to find, the threat actor is able to operate undetected and reuse C2 infrastructure

The affected entities that fall within the traditional sphere of DeathStalker are primarily legal and financial investment management (FSI) institutions. However, Kaspersky has also recorded threat activity affecting travel agencies. The European region, together with the Middle East, were also seen as a typical workspace for DeathStalker with varying intensity between the countries.

“As legal and financial institutions are a common target for this threat actor, we can safely assume that DeathStalker’s main goals rely on the looting of confidential information regarding legal disputes involving VIPs and large financial assets, competitive business intelligence and insights into mergers and acquisitions”, commented Dr. Amin Hasbini, Head of Research Center, META, Global Research and Analysis Team, Kaspersky. “Organisations operating in these industries should proactively prepare for such intrusions and/or updating their threat model to ensure data remains safe”, he added.

Since the threat actor continues to use interpreted-language-based malware such as Python, VBE and VBS across both historical and recent intrusions, affected institutions should rely on application whitelisting and OS hardening as effective techniques to block any intrusion attempts. Defenders should also look for Internet Explorer processes running without GUI since Janicab is using Internet Explorer in hidden mode to communicate with the C2 infrastructure.


You may also like