The threat actor known as DeathStalker has continued to target and disrupt foreign and cryptocurrency exchanges around the world throughout 2022 using the VileRAT malware, according to security researchers from Kaspersky.
The findings are detailed in an advisory published on August 10 2022, which mentions a number of VileRAT-focussed campaigns supposedly perpetrated by DeathStalker, starting in September 2020, through 2021 and more recently in June 2022.
“DeathStalker has indeed continuously leveraged and updated its VileRAT toolchain against the same type of targets since we first identified it in June 2020,” reads the advisory.
Despite the existence of public indicators of compromise, Kaspersky said the DeathStalker campaign is not only ongoing at the time of writing, but also that the threat actor likely increased its efforts to compromise targets using VileRAT recently.
“We have indeed been able to identify more samples of VileRAT-associated malicious files and new infrastructure since March 2022, which may be a symptom of an increase in compromise attempts.”
Kaspersky explained that in the summer of 2020, DeathStalker’s VileRAT initial infection consisted of files hosted on Google Drive and shared via spear-phishing emails sent to foreign exchange companies.
For context, the initial DOCX infection document itself was deemed innocuous, but contained a link to another malicious and macro-enabled DOTM “remote template”.
Then, in late 2021, the infection technique changed slightly but still relied on malicious Word documents sent to targets via email. The VileRAT campaigns spotted in July 2022 were different, however.
“We also noticed that the attackers leveraged chatbots that are embedded in targeted companies’ public websites to send malicious DOCX to their targets,” Kaspersky wrote.
Kaspersky defined VileRAT as a Python implant capable of arbitrary remote command execution, keylogging, and self-updating from a command-and-control (C2) server, among other things.
“Escaping detection has always been a goal for DeathStalker, for as long as we’ve tracked the threat actor,” the security researchers wrote.
“But the VileRAT campaign took this desire to another level: it is undoubtedly the most intricate, obfuscated and tentatively evasive campaign we have ever identified from this actor.”
At the same time, Kaspersky concluded that because of VileRAT’s heavy payload, simple infection vectors, and several suspicious communication patterns, an efficient endpoint protection solution should be able to detect and block most of its malicious activities.