DeathStalker’s VileRAT continues to target foreign and crypto exchanges
The threat actor known as DeathStalker has continued to target and disrupt foreign and cryptocurrency exchanges around the world through 2022 using VileRAT malware, according to Kaspersky security researchers.
The findings are described in an advisory published on August 10, 2022, which mentions a number of VileRAT-focused campaigns allegedly carried out by DeathStalker, from September 2020 to 2021 and more recently in June 2022.
“Indeed, DeathStalker has continuously exploited and updated its VileRAT toolchain against the same type of targets since we first identified it in June 2020,” the advisory said.
Despite public indicators of compromise, Kaspersky said that the DeathStalker campaign is not only ongoing at the time of writing, but also that the threat actor likely increased its efforts to compromise targets using VileRAT recently.
“Indeed, we have been able to identify several samples of VileRAT-associated malicious files and new infrastructure since March 2022, which may be symptomatic of an increase in compromise attempts.”
Kaspersky explained that in the summer of 2020, DeathStalker’s VileRAT infection consisted of files hosted on Google Drive and shared via spear-phishing emails sent to foreign exchange companies.
For context, the first DOCX infection document itself was considered harmless, but contained a link to another malicious and macro-enabled DOTM “external template”.
Then, in late 2021, the infection technique changed slightly, but still relied on malicious Word documents sent to targets via email. However, the VileRAT campaigns discovered in July 2022 were different.
“We also noticed that the attackers exploited chatbots embedded in targeted companies’ public websites to send malicious DOCX to their targets,” Kaspersky wrote.
After the initial infection, DeathStalker would deliver a hidden JavaScript file to infected machines that would drop and schedule the execution of VileLoader, the VileRAT installer.
Kaspersky defined VileRAT as a Python implant capable of, among other things, arbitrary remote command execution, keylogging and self-updating from a command-and-control server (C2).
“Evading detection has always been a goal of DeathStalker, as long as we have been tracking the threat actor,” the security researchers wrote.
“But the VileRAT campaign took this desire to another level: it is undoubtedly the most intricate, obscure and so far elusive campaign we have ever identified from this actor.”
At the same time, Kaspersky concluded that due to VileRAT’s heavy payload, simple infection vectors and several suspicious communication patterns, an effective endpoint protection solution should be able to detect and block most of its malicious activities.