Deathstalker has deployed a new Janicab variant targeting legal entities in the Middle East and Europe, leveraging YouTube-based dead-drop resolvers (DDRs) and a multi-stage VBScript loader to deliver Janicab. The operation shows expanded targets (including travel agencies), a modular VBScript/Python toolset, and diverse C2 methods (HTTP-based with PHP backends and ICMP) to maintain stealth and persistence. #Deathstalker #Janicab
Keypoints
- The Janicab variant is used against legal entities in the Middle East (2020, possibly 2021) and expanded to travel agencies, with activity traced back to early 2015 targeting legal, financial, and travel sectors in the Middle East and Europe.
- The Windows infection chain relies on a multi-stage LNK dropper inside a ZIP archive, followed by encoded VBScript loaders and a CAB containing Python tools, culminating in a VBScript-based Janicab implant and Startup-folder persistence.
- DDR infrastructure continues to use YouTube, Google+, and WordPress to resolve C2 IPs, including unlisted 2015 YouTube links reused for infrastructure reliability.
- Janicab is modular and VBScript-based, embedding resources in CABs and evolving across versions to add/remove functions (e.g., keylogger, screen capture, Python/DLL tools).
- Targets remain predominantly legal and financial institutions in the Middle East and Europe, with Saudi Arabia noted as a new legal-entity target).
- Threat infrastructure includes multiple C2 IPs hosted in Bulgaria and PHP-backed web pages, with HTTP GET/POST used for command and control and ICMP-based C2 observed in PowerPepper-related overlaps.
- Defensive signals include anti-VM/defense evasion, process checks, and browser-cookie deletion, highlighting emphasis on persistence, anti-analysis, and anti-forensics.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Initial access via a LNK dropper in a ZIP delivered by spear-phishing; “Based on our telemetry, the delivery mechanism remains spear-phishing.”
- [T1027] Obfuscated/Compressed Files and Information – The dropper embeds/obfuscates resources inside the dropper and CAB archives.
- [T1059.005] VBScript – Final stage delivered as a VBScript-based implant (Janicab) and encoded VBScript loaders (1.VBE/2.VBE).
- [T1547.001] Boot or Logon Autostart Execution – Persistence by deploying a new LNK in the Startup directory.
- [T1105] Ingress Tool Transfer – Downloading additional tools from C2 to support intrusion lifecycle (Python, DLLs, etc.).
- [T1071.001] Web Protocols – C2 communication over HTTP GET/POST to PHP pages; backend PHP server used for C2 control.
- [T1095] Non-Application Layer Protocol – ICMP-based C2 channel (ICMP shell) observed as an alternative C2 path.
- [T1056.001] Keylogging – DLL-based keylogger (Stormwind) embedded in Janicab, capturing keystrokes and related data.
- [T1113] Screen Capture – Inclusion of screen capture utilities as part of modular toolset.
- [T1497] Virtualization/Sandbox Evasion – Anti-VM/defense evasion techniques noted in analysis.
- [T1057] Process Discovery – checkRunningProcess() detects processes to identify malware analysis or debugging environments.
Indicators of Compromise
- [IP] C2 infrastructure – 176.223.165.196, 87.120.254.100, 87.120.37.68 (observed in Janicab variants; Bulgarian ASN).
- [Hash] MD5 – 3f1e0540793d9b9dbd26d6fadceacb71; [Hash] SHA1 – aacd0752289f3b0c6be3fadba368a9a71e46a228; [Hash] SHA256 – 33f9780a2f0838e43457a8190616bec9e5489e1a112501e950fc40e0a3b2782e.
- [File name] LNK dropper and related components – Corporate Profile Hydraulica.lnk, K.dll, PythonProxy.py, Ftp.py, Runner.py, Junction.exe, Plink.exe.
- [URL] DDR/YouTube patterns – hxxps://youtu.be/AApRxqOjLs4, hxxps://youtu.be/Tn7L5RyRAlM, hxxps://youtu.be/aZRJQdwN4-g (YouTube DDRs).
- [URL] C2 endpoints – hxxp:///d/icmpxa.exe, hxxp:///d/unrar.exe, hxxp:///d/procdump.exe, hxxp:///d/Rar.exe, and IP-based API paths.
- [Domain/URL] DDR resolution links – YouTube DDRs used to resolve backend IP addresses; YouTube shortened domains observed as DDRs.
Read more: https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab-variant/108131/