Kaspersky Lab: Attackers Distribute Trojan Through Financial Channels in Telegram

Experts from Kaspersky Lab’s Global Research and Analysis Team (GReAT) have discovered a malicious campaign targeting users and companies in the financial and trading sectors. The attackers are distributing a Trojan through themed Telegram channels that allows remote access to a device for espionage purposes and to steal data. Attacks have been recorded in more than 20 countries.

The company reports that the attackers are attaching archives with malicious files inside (with extensions such as .lnk, .com, and .cmd) to Telegram posts. If the user opens these files, malware will be downloaded to the device — the DarkMe Trojan, which allows remote execution of commands from the attackers’ server and stealing data.

The attackers tried to carefully hide traces of the infection. For example, after installation, the malware deletes the files that were used to deliver the DarkMe implant. They also increased the size of the implant file to complicate attribution and confuse detections. This is done by adding junk code and strings to the file. The attackers also hid other traces: after completing their tasks, they deleted the files, tools, and registry keys used in the post-exploitation phase to make it difficult to detect and investigate the incident.

The campaign appears to be associated with the DeathStalker group (formerly Deceptikons). It has been active since at least 2018, according to some sources – since 2012. The attackers work as “cyber mercenaries”, that is, they provide hacking services, and are engaged in financial intelligence: they collect various commercial, financial and personal information, for example, in favor of competitors. The group mainly attacks small and medium businesses, fintech companies, financial and legal organizations. Judging by the attacks, DeathStalker includes attackers who are capable of developing their own tools and have a good understanding of the cyber threat landscape.

“Instead of traditional phishing methods, the attackers used Telegram channels to distribute malware. Moreover, in earlier campaigns, they infected devices via other communication platforms, such as Skype. A messenger may inspire more trust in potential victims than a phishing site. In addition, downloading files from such applications may seem less dangerous than downloading from the Internet, explains Tatyana Shishkova, leading expert at Kaspersky GReAT. “We usually recommend being careful with various emails and links, but this campaign has shown that it is important to be vigilant when using other resources, including communication applications such as Skype and Telegram.”

Leave a Reply

Your email address will not be published. Required fields are marked *