Skip to main content

DeathStalker targeting British legal, financial and travel entities with new Janicab variant, Kaspersky intelligence found

7 December 2022

Kaspersky experts have identified new functionalities within the Janicab malware, which is being used by a mercenary APT group DeathStalker to infiltrate specific organisations within a number of industries.

The new variant has been spotted across European and Middle Eastern territories including the United Kingdom, and is leveraging legitimate external web services such as YouTube as part of the infection chain. 

Unlike more traditional damage resulting from cyberattacks such as digital blackmail or ransomware, the Janicab infections can lead to targeted logistical and legal challenges, rivals advantage, sudden audits with prejudice and misuse of intellectual property to name a few.

Janicab can be considered a modular, interpreted-language malware, which means that the threat actor is able to add/remove functions or embedded files with very little effort. Based on Kaspersky telemetry – even though the delivery mechanism remains spear-phishing – newer Janicab variants have changed significantly in structure, with the presence of archives containing several Python files and other artifacts used later in the intrusion lifecycle. Once a victim is tricked into opening the malicious file, a series of chained malware files are subsequently dropped. 

One of the distinctive features of DeathStalker is its use of DDRs/web services to host an encoded string that is later deciphered by the malware implant. According to a new report, Kaspersky identified the use of old YouTube links that were present in 2021 intrusions. With unlisted web links being unintuitive and harder to find, the threat actor is able to operate undetected and reuse C2 infrastructure.

The affected entities that fall within the traditional sphere of DeathStalker are primarily legal and financial investment management (FSI) institutions. However, Kaspersky has also recorded threat activity affecting travel agencies. The European region, together with the Middle East, were also seen as a typical workspace for DeathStalker with varying intensity between the countries. 

“As legal and financial institutions are a common target for this threat actor, we can safely assume that DeathStalker’s main goals rely on the looting of confidential information regarding legal disputes involving VIPs and large financial assets, competitive business intelligence and insights into mergers and acquisitions”, commented Dr. Amin Hasbini, Head of Research Center, META, Global Research and Analysis Team, Kaspersky. “Organisations operating in these industries should proactively prepare for such intrusions and/or updating their threat model to ensure data remains safe”, he added. 

Since the threat actor continues to use interpreted-language-based malware such as Python, VBE and VBS across both historical and recent intrusions, affected institutions should rely on application whitelisting and OS hardening as effective techniques to block any intrusion attempts. Defenders should also look for Internet Explorer processes running without GUI since Janicab is using Internet Explorer in hidden mode to communicate with the C2 infrastructure.

DeathStalker targeting British legal, financial and travel entities with new Janicab variant, Kaspersky intelligence found

Kaspersky experts have identified new functionalities within the Janicab malware, which is being used by a mercenary APT group DeathStalker to infiltrate specific organisations within a number of industries.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases