New year, new malware capabilities, say analysts who revealed new functionalities within the Janicab malware, which is being used by a mercenary APT group, DeathStalker to infiltrate specific organizations within several industries.
According to researchers at Kaspersky, the new variant was spotted across European and Middle Eastern territories and is leveraging legitimate external web services such as YouTube as part of the infection chain.
Janicab Malware Analysis
Janicab is a modular, interpreted-language malware, meaning the threat actor can easily add or remove functions or embedded files.
According to Kaspersky data, although the delivery method remains spear-phishing, newer Janicab variants have undergone significant structural changes, including the presence of archives containing multiple Python files and other artifacts used later in the intrusion cycle.
Once the victim is tricked into opening the malicious file, a series of chained malware files are then dropped.
“While active, the malware continuously uses a third-party plugin to take screenshots and record audio, then uploads these to the C&C server. It also constantly checks for additional commands to execute from the C&C server,” said a WithSecure threat analysis report.
“The malware is notable for being signed with an Apple Developer ID and for using the right-to-left override (RLO) feature of the bi-directional text encoding system to hide the real extensions of executable files.”
Janicab infections can lead to targeted logistical and legal issues, competitive advantage for rivals, unexpected audits with bias, and misuse of intellectual property, rather than traditional cyberattack consequences like ransomware or digital extortion.
Janicab Malware and DeathStalker
DeathStalker is an advanced persistent threat (APT) group that has been conducting efficient espionage attacks on small and medium-sized firms in the financial sector since at least 2012.
Kaspersky discovered in 2022 that DeathStalker has been using new malware including Janicab.
DeathStalker typically targets financial investment management (FSI) and legal institutions. However, Kaspersky has also recorded threats affecting travel agencies.
The European region and the Middle East are both common areas of operation for DeathStalker, with varying levels of intensity between countries.
One distinctive feature of DeathStalker is its use of DDRs/web services to host an encoded string that is later decrypted by the malware implant. Kaspersky has identified the use of old YouTube links in 2021 intrusions.
By using unlisted web links that are harder to find, the threat actor is able to operate undetected and reuse C2 infrastructure.
To protect against these types of intrusions, affected institutions should implement application whitelisting and OS hardening, as these techniques can effectively block any intrusion attempts.
It is also important to look for Internet Explorer processes running without a GUI, as Janicab uses Internet Explorer in hidden mode to communicate with C2 infrastructure.