Telegram Becomes Weapon: Hackers Target Fintech with DarkMe Spyware
In a chilling new campaign uncovered by Kaspersky Global Research, hackers are leveraging the popular messaging app Telegram to distribute DarkMe, a sophisticated remote access Trojan (RAT) designed to steal sensitive data and grant control of victims’ devices.
A Global Campaign, Specific Targets
The campaign, believed to be orchestrated by the notorious hack-for-hire APT actor DeathStalker, has impacted individuals and businesses across 20 countries, spanning Europe, Asia, Latin America, and the Middle East. Technical indicators point to DeathStalker’s concentration on the trading and fintech sectors, suggesting a targeted approach to compromising these crucial industries.
The Telegram Trojan Horse
Instead of relying on traditional phishing methods, the attackers are employing a more insidious tactic. They are embedding malicious archives, disguised as seemingly harmless RAR or ZIP files, within posts on Telegram channels frequented by individuals interested in trading and fintech. When unsuspecting victims download and open these files, they unwittingly trigger the installation of the DarkMe malware.
Stealthy Operation and Evasive Tactics
Adding to the complexity, DeathStalker has significantly enhanced its operational security. After installing DarkMe, the malware diligently deletes the files used for deployment, hindering forensic analysis. Furthermore, the group enlarged the implant’s file size and carefully eradicated other traces, such as post-exploitation files, tools, and registry keys, leaving minimal evidence of its presence.
The Data Thieves: Not After Stolen Funds
Despite their sophisticated techniques and targeting of lucrative sectors, DeathStalker maintains a distinct profile. Kaspersky believes this group is primarily focused on gathering business, financial,
and personal information, likely for purposes of competitive intelligence or business advantage. Interestingly, despite their access, DeathStalker has not been observed engaging in direct fund theft.
“Instead of using traditional phishing methods, threat actors relied on Telegram channels to deliver the malware. In earlier campaigns, we also observed this operation using other messaging platforms, such as Skype, as a vector for initial infection. This method may make potential victims more inclined to trust the sender and open the malicious file than in the case with a phishing website. Additionally, downloading files through messaging apps may trigger fewer security warnings compared to standard internet downloads, which is favourable for the threat actors,”
explains Maher Yamout, Lead Security Researcher from GReAT.
“While we typically advise vigilance against suspicious emails and links, this campaign highlights the need for caution when dealing even with instant messaging apps like Skype and Telegram.”
Adding to their cunning, DeathStalker has also been known to mimic other APT actors, incorporating false flags to obscure their true identity.
Protecting Yourself from Telegram Threats
This sophisticated campaign underscores the growing importance of vigilance in the digital realm. It serves as a stark reminder that no platform, even seemingly innocuous messaging apps, is immune to malicious exploitation.
**Stay informed and take proactive steps to protect yourself against Telegram threats:**
- Be wary of suspicious links and attachments, regardless of their origin or sender.
- Double-check the credibility of Telegram channels before engaging with their content.
- Keep your security software up to date and utilize robust anti-malware protection.
- Avoid downloading files unless you are certain of their source and legitimacy.