AGL 40.10 Decreased By ▼ -0.90 (-2.2%)
AIRLINK 127.80 Decreased By ▼ -0.34 (-0.27%)
BOP 6.60 Decreased By ▼ -0.10 (-1.49%)
CNERGY 4.60 Increased By ▲ 0.08 (1.77%)
DCL 8.58 Decreased By ▼ -0.03 (-0.35%)
DFML 41.40 Increased By ▲ 0.31 (0.75%)
DGKC 86.50 Decreased By ▼ -0.63 (-0.72%)
FCCL 32.13 Decreased By ▼ -1.26 (-3.77%)
FFBL 65.40 Decreased By ▼ -0.01 (-0.02%)
FFL 10.27 Decreased By ▼ -0.20 (-1.91%)
HUBC 110.60 Decreased By ▼ -0.03 (-0.03%)
HUMNL 14.70 Decreased By ▼ -0.60 (-3.92%)
KEL 5.15 Increased By ▲ 0.17 (3.41%)
KOSM 7.15 Decreased By ▼ -0.28 (-3.77%)
MLCF 41.69 Decreased By ▼ -1.30 (-3.02%)
NBP 60.20 Decreased By ▼ -0.22 (-0.36%)
OGDC 194.48 Decreased By ▼ -3.16 (-1.6%)
PAEL 27.95 Decreased By ▼ -1.06 (-3.65%)
PIBTL 7.98 Decreased By ▼ -0.28 (-3.39%)
PPL 150.52 Decreased By ▼ -3.64 (-2.36%)
PRL 27.08 Increased By ▲ 2.08 (8.32%)
PTC 16.08 Decreased By ▼ -0.01 (-0.06%)
SEARL 78.20 Decreased By ▼ -0.25 (-0.32%)
TELE 7.42 Increased By ▲ 0.05 (0.68%)
TOMCL 35.70 Decreased By ▼ -0.39 (-1.08%)
TPLP 7.90 Decreased By ▼ -0.17 (-2.11%)
TREET 15.87 Decreased By ▼ -0.09 (-0.56%)
TRG 52.70 Decreased By ▼ -0.66 (-1.24%)
UNITY 26.65 Decreased By ▼ -0.06 (-0.22%)
WTL 1.28 Increased By ▲ 0.01 (0.79%)
BR100 9,920 Decreased By -52.1 (-0.52%)
BR30 30,751 Decreased By -346.3 (-1.11%)
KSE100 93,225 Decreased By -423.8 (-0.45%)
KSE30 28,885 Decreased By -132.9 (-0.46%)

ISLAMABAD: Kaspersky Global Research and Analysis team (GReAT) has uncovered a malicious global campaign in which attackers used Telegram to deliver Trojan spyware, potentially targeting individuals and businesses in the fintech and trading industries in different countries including Pakistan.

According to the report of the GReAT released on Friday, the malware is designed to steal sensitive data, such as passwords, and take control of users’ devices for espionage purposes. This phenomenon has also been witnessed in multiple countries across Europe, Asia including Pakistan, Latin America, and the Middle East.

The campaign is believed to be linked to DeathStalker, an infamous hack-for-hire APT (Advanced Persistent Threat) actor offering specialized hacking and financial intelligence services. In the recent wave of attacks observed by Kaspersky, threat actors attempted to infect victims with DarkMe malware – a Remote Access Trojan (RAT), designed to steal information and execute remote commands from a server controlled by the perpetrators.

They typically target small and medium businesses, financial, fintech, law firms, and on a few occasions, governmental entities. Despite going after these types of targets, DeathStalker has never been observed stealing funds, which is why Kaspersky believes it to be a private intelligence outfit.

The infection chain analysis reveals the attackers were most likely attaching malicious archives to posts in Telegram channels. The archives themselves, such as RAR or ZIP files, were not malicious, but they contained harmful files with extensions like .LNK, .com, and .cmd. If potential victims launched these files, it leads to the installation of the final-stage malware, DarkMe, in a series of actions.

In addition to using Telegram for malware delivery, the attackers improved their operational security and post-compromise cleanup. After installation, the malware removed the files used to deploy the DarkMe implant. To further hinder analysis and try to evade detection, perpetrators increased the implant’s file size and deleted other footprints, such as post-exploitation files, tools, and registry keys, after achieving their goal.

Copyright Business Recorder, 2024

Comments

200 characters