Kaspersky Finds Hazardous Campaign On Telegram Targeting Fintech Industry

JAKARTA - Kaspersky's Global Research and Analysis Team (GREAT) has uncovered a malicious global campaign that uses Telegram's communications media to deliver Trojan spyware.

In its analysis, Kaspersky believes the campaign has something to do with DeathStalker, a well-known paid APT (Advanced Persistent Threat) actor who offers special financial hacking and intelligence services.

Using DarkMe malware, remote access Trojans (RAT), cybercriminals aim to steal sensitive data, such as passwords, and take over victims' devices for espionage purposes.

The global cybersecurity company also found that the threat actor behind the campaign was seen targeting individuals and businesses in the fintech and trade industries as victims.

The campaign is global, as Kaspersky has identified more than 20 victims across Europe, Asia, Latin America, and the Middle East, "said Maher Yamout, Main Security Researcher from GReAT, Kaspersky in a written statement quoted Sunday, November 3.

An analysis of the infection chain reveals that attackers are most likely attaching malicious archives (in the form of RAR or ZIP) to posts on the Telegram channel. If potential victims launch these files, it leads to the installation of DarkMe malware.

This method can make potential victims more likely to trust senders and open malicious files than in cases of phishing websites, Maher added.

In addition, he continued, downloading files through messaging apps could trigger less security alerts than standard internet downloads, which are beneficial for threat actors.

For your information, Deathstalker, formerly known as homelesscons, has been an active group of threat actors since at least 2018, and possibly since 2012.

The group is believed to be a group of cyber mercenaries or paid hackers. The main goal of this group is to gather business, financial and personal information, perhaps for business intelligence or competitors who serve their clients.