Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant

Dec 10, 2022Ravie LakshmananHack-for-Hire / Threat Intelligence

Travel agencies have emerged as the target of a hack-for-hire
group dubbed Evilnum as part of a broader campaign
aimed at legal and financial investment institutions in the Middle
East and Europe.

The attacks targeting law firms throughout 2020 and 2021
involved a revamped variant of a malware called Janicab that
leverages a number of public services like YouTube as dead drop resolvers ^[1], Kaspersky said ^[2]
in a technical report published this week.

Janicab infections comprise a diverse set of victims located in
Egypt, Georgia, Saudi Arabia, the UAE, and the U.K. The development
marks the first time legal organizations in Saudi Arabia have been
targeted by this group.

Also tracked as DeathStalker, the threat actor is known to
deploy backdoors ^[3]
like Janicab, Evilnum, Powersing, and PowerPepper to exfiltrate
confidential corporate information.

“Their interest in gathering sensitive business information
leads us to believe that DeathStalker is a group of mercenaries
offering hacking-for-hire services, or acting as some sort of
information broker in financial circles,” the Russian cybersecurity
company noted ^[4]
in August 2020.

According to ESET ^[5], the hacking crew has a
pattern of harvesting internal company presentations, software
licenses, email credentials, and documents containing customer
lists, investments and trading operations.

Earlier this year, Zscaler and Proofpoint uncovered ^[6]
fresh attacks orchestrated by Evilnum that have been directed
against companies in the crypto and fintech verticals since late
2021.

Kaspersky’s analysis of the DeathStalker intrusions has revealed
the use of an LNK-based dropper embedded inside a ZIP archive for
initial access by means of a spear-phishing attack.

The lure attachment purports to be a corporate profile document
related to power hydraulics that, when opened, leads to the
deployment of the VBScript-based Janicab implant, which is capable
of command execution and deploying more tools.

Newer versions of the modular malware have simultaneously
removed audio recording features and added a keylogger module that
shares overlaps with prior Powersing attacks. Other functions
include checking for installed antivirus products and getting a
list of processes indicating malware analysis.

The 2021 attacks are also notable for employing unlisted old
YouTube links that are used to host an encoded string that’s
deciphered by Janicab to extract the command-and-control (C2) IP
address for retrieving follow-on commands and exfiltrating
data.

“Since the threat actor uses unlisted old YouTube links, the
likelihood of finding the relevant links on YouTube is almost
zero,” the researchers said. “This also effectively allows the
threat actor to reuse C2 infrastructure.”

The findings underscore that the threat actor has continued to
update its malware toolset to maintain stealthiness over extended
periods of time.

Besides application allowlisting and operating system hardening,
organizations are recommended to monitor Internet Explorer
processes, since the browser is used in hidden mode to communicate
with the C2 server.

As legal and financial sectors are a common target for the
threat actor, the researchers further theorized that DeathStalker’s
customers and operators could be weaponizing the intrusions to keep
tabs on lawsuits, blackmail high-profile individuals, track
financial assets, and harvest business intelligence about potential
mergers and acquisitions.

Found this article interesting? Follow us on Twitter ^[7]
and LinkedIn ^[8]
to read more exclusive content we post.

References

^{^}
dead
drop resolvers (thehackernews.com)
^{^}
said
(securelist.com)
^{^}
backdoors
(thehackernews.com)
^{^}
noted
(securelist.com)
^{^}
ESET
(thehackernews.com)
^{^}
uncovered
(thehackernews.com)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)