DeathStalker’s VileRAT continues to target foreign and crypto exchanges


The threat actor known as DeathStalker continued to target and disrupt foreign and cryptocurrency exchanges around the world throughout 2022 using the VileRAT malware, according to Kaspersky security researchers.

The results are detailed in a notice published on August 10, 2022, which mentions a number of VileRAT-focused campaigns allegedly perpetrated by DeathStalker, starting in September 2020, through 2021 and most recently in June 2022.

“DeathStalker has indeed continuously operated and updated its VileRAT toolchain against the same type of targets since we first identified it in June 2020,” the advisory read.

Despite the existence of public indicators of compromise, Kaspersky said that the DeathStalker campaign was not only ongoing at the time of writing, but also that the threat actor had likely intensified its efforts to compromise the targets by using VileRAT recently.

“We have indeed been able to identify more malicious file samples associated with VileRAT and new infrastructure since March 2022, which may be a symptom of an increase in compromise attempts.”

Kaspersky explained that in the summer of 2020, DeathStalker’s initial VileRAT infection consisted of files hosted on Google Drive and shared via spear-phishing emails sent to exchange companies.

For context, the original DOCX infection document itself was deemed harmless, but contained a link to another malicious, macro-compatible DOTM “remote template”.

Then, in late 2021, the infection technique changed slightly but still relied on malicious Word documents sent to targets via email. The VileRAT campaigns spotted in July 2022 were different, however.

“We also noticed that attackers used chatbots embedded in the public websites of targeted companies to send malicious DOCXs to their targets,” Kaspersky wrote.

After the initial infection, DeathStalker would deliver an obfuscated JavaScript file to infected machines that would drop and schedule VileLoader, the VileRAT installer, to run.

Kaspersky defined VileRAT as a Python implant capable of, among other things, executing arbitrary remote commands, logging keystrokes, and updating automatically from a command and control (C2) server.

“Evading detection has always been a goal for DeathStalker, as long as we tracked the threat actor,” the security researchers wrote.

“But the VileRAT campaign took that desire to another level: it’s arguably the most complex, obfuscated and tentatively evasive campaign we’ve ever identified from this actor.”

At the same time, Kaspersky concluded that due to VileRAT’s heavy payload, simple infection vectors and multiple suspicious communication patterns, an effective endpoint protection solution should be able to detect and block the most of its malicious activities.


About Author

Comments are closed.