Kaspersky Lifts the Cloak of the “Deceptikons” Hacker-for-Hire Group

• Kaspersky researchers have discovered a large hacker-for-hire actor, albeit not a very sophisticated one.
• Named “Deceptikons,” the actors are relying on the planting of PowerShell backdoors rather than exploiting zero-days.
• The mercenary hackers are targeting mainly Europe-based law firms and focus on the stealing of sensitive information.

Kaspersky has released its APT trends report for Q2 2020, and one of the most interesting findings presented in it is a new massive hacker-for-hire group called “Deceptikons.” In terms of its size, this is the second-largest group of mercenary hackers to have been discovered this year, only after the “Dark Basin” group that was hiding behind the “BellTroX InfoTech Services” Indian IT firm.

Deceptikons is an APT that is based more on massive numbers of attacks rather than using sophisticated zero-day exploits to break in the target systems.

Although it has a wide scope of targeting, its victims are mainly entities engaging in the commercial sector, as well as various non-governmental organizations. Law firms based in Europe seem to be the niche of Deceptikons, as Kaspersky has taken note of numerous cases where they deployed PowerShell scripts against them. By deploying these backdoors, the hackers managed to steal sensitive information from their targets, including negotiation details, clientele information, evidence that can be used in legal cases, and financial information.

Related: The Ups and Downs of the Threat Landscape in Q2 2020

As we reported earlier today, the use of “LNK” shortcut files to execute the scripts was prominent this year, and it was central for Deceptikons too. Kaspersky promised to prepare a detailed report on the activity of Deceptikons soon, so we will revisit this matter.

Other remarkable discoveries laid out in the Kaspersky report include a new malware framework called “MagicScroll,” which is an arbitrary payload decryptor and loader which attaches stuff in kernel mode. The malware exploits the “CVE-2008-3431” vulnerability (among others) and follows a series of three successive operational stages.

Another notable finding was a trojanized version of the Aarogya Setu app, the official COVID-19 tracker in India. The attribution for this has been given to the “Transparent Tribe” actor, which is a persistent and troublesome Pakistani group of hackers.

Finally, Kaspersky mentions the “ARCHER” supercomputer hacking event and links it to other similar incidents taking place in the Swiss National Supercomputing Center. The fact that both of the above organizations were actively participating in COVID-19 vaccine research was a telltale sign for the media - and indeed, Kaspersky’s investigation seems to confirm that now.

They have traced the attacks and confirmed the deployment of the “WellMess” malware. This is a high-profile exploit tool that was found in attacks against large telcos, government, and contractors in the Middle East, Europe, and North Africa.