Kaspersky uncovers global Telegram malicious campaign targeting fintech users

Kaspersky Global Research and Analysis team (GReAT) has uncovered a malicious global campaign in which attackers used Telegram to deliver Trojan spyware, potentially targeting individuals and businesses in the fintech and trading industries in multiple countries across Europe, Asia, Latin America, and the Middle East. The malware is designed to steal sensitive data, such as passwords, and take control of users’ devices for espionage purposes.

The campaign is believed to be linked to DeathStalker, an infamous hack-for-hire APT (Advanced Persistent Threat) actor offering specialized hacking and financial intelligence services. In the recent wave of attacks observed by Kaspersky, threat actors attempted to infect victims with DarkMe malware – a remote access Trojan (RAT), designed to steal information and execute remote commands from a server controlled by the perpetrators.

Threat actors behind the campaign appear to have targeted victims in the trading and fintech sectors, as technical indicators suggest the malware was likely distributed via Telegram channels focused on these topics. The campaign was global, as Kaspersky has identified victims in more than 20 countries across Europe, Asia, Latin America, and the Middle East.

The infection chain analysis reveals the attackers were most likely attaching malicious archives to posts in Telegram channels.  The archives themselves, such as RAR or ZIP files, were not malicious, but they contained harmful files with extensions like .LNK, .com, and .cmd. If potential victims launched these files, it leads to the installation of the final-stage malware, DarkMe, in a series of actions.

“Instead of using traditional phishing methods, threat actors relied on Telegram channels to deliver the malware. In earlier campaigns, we also observed this operation using other messaging platforms, such as Skype, as a vector for initial infection. This method may make potential victims more inclined to trust the sender and open the malicious file than in the case with a phishing website. Additionally, downloading files through messaging apps may trigger fewer security warnings compared to standard internet downloads, which is favourable for the threat actors,” explains Maher Yamout, Lead Security Researcher from GReAT. “While we typically advise vigilance against suspicious emails and links, this campaign highlights the need for caution when dealing even with instant messaging apps like Skype and Telegram.”

In addition to using Telegram for malware delivery, the attackers improved their operational security and post-compromise cleanup. After installation, the malware removed the files used to deploy the DarkMe implant. To further hinder analysis and try to evade detection, perpetrators increased the implant’s file size and deleted other footprints, such as post-exploitation files, tools, and registry keys, after achieving their goal.

Deathstalker, previously known as Deceptikons, is a threat actor group active since at least 2018, and potentially since 2012. It is believed to be a cyber-mercenary or hacker-for hire group where the threat actor seems to have competent members who develop in-house toolsets, and understand the advanced persistent threat ecosystem. The group’s primary goal is collecting business, financial and private personal information, possibly for competitive or business intelligence purposes serving their clientele. They typically target small and medium businesses, financial, fintech, law firms, and on a few occasions, governmental entities. Despite going after these types of targets, DeathStalker has never been observed stealing funds, which is why Kaspersky believes it to be a private intelligence outfit.

The group also has an interesting tendency to attempt to avoid attribution of their activities by mimicking other APT actors and incorporating false flags.

For personal security, Kaspersky recommends the following measures:

·         Install a trusted security solution and follow its recommendations. Then secure solutions will solve the majority of problems automatically and alert you if necessary.

·         Staying informed about new cyberattack techniques can help you recognize and avoid them. Security blogs will help you to stay on track with the brand-new threats.

To safeguard against the advanced threats, Kaspersky security experts recommend organizations to:

·         Provide your InfoSec professionals with in-depth visibility into cyberthreats targeting your organization. The latest Kaspersky Threat Intelligence will supply them with rich and meaningful context across the entire incident management cycle and help to identify cyber risks in time.

·         Invest in additional cybersecurity courses for your staff to keep them up to date with the latest knowledge. With practically-oriented Kaspersky Expert training, InfoSec professionals can advance their hard skills and be able to defend their companies against sophisticated attacks. You can choose the most appropriate format and follow either self-guided, online courses or trainer-led live courses.

·         To protect the company against a wide range of threats, use solutions from Kaspersky Next product line that provide real-time protection, threat visibility, investigation and response capabilities of EDR and XDR, for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier and easily migrate to another one if your cybersecurity requirements are changing.