Researchers for Kaspersky published a new blog post yesterday detailing some background information and possible malware connections to the APT group known as “DeathStalker.” Recent infections by the group began with a malicious .LNK (shortcut) file being sent to victims through spear-phishing emails. The file would be given an icon to disguise itself as some form of document, but it really started a chain of processes before opening a decoy document to trick the victim into believing everything was normal.
The next stage of the infection made use of a PowerShell script that has been labeled “Powersing.” This script connects to a “dead drop resolver,” which are legitimate sites such as Reddit, Twitter or YouTube, where anyone can post content and would draw little suspicion. Posts to these sites are used to store information about the real Command and Control (C2) URL, but they are often obfuscated in some way so they aren’t obvious to the average user. Once it has the URL, a DLL file is downloaded and a shortcut to a script is added to the startup folder to establish persistence on the host.
Finally, the DLL downloaded earlier is used to take control of the infected host. The DLL will beacon to the C2 every few seconds, waiting for commands to execute. These commands will either capture periodic screenshots or execute more PowerShell provided by the C2.
It doesn’t take an APT group to take advantage of a phishing attack. Binary Defense highly recommends organizations provide some form of security awareness and phishing training for employees. Shortcut files (.LNK) are unlikely to be sent legitimately. Regardless of the icon, shortcuts can be identified by the arrow in the bottom left-hand side of the file. Email administrators may want to consider blocking this type of file attachment, as well as inspecting zip archive file attachments and blocking any that contain a shortcut file.