DarkMe (Trojan)

Chronicle

2024: Attack on Russian subscribers of financial Telegram channels

On November 1, 2024, it became known that Russian users of financial Telegram channels are being attacked by spyware viruses. Kaspersky Lab specialists reported a new cyber attack using the DarkMe Trojan, which is actively used to gain remote access to devices and steal subscriber data in more than 20 countries around the world, including Russia.

Attackers use financial and trading channels in Telegram to spread malware. They attach archives to messages with files containing malicious components with.lnk,.com and.cmd extensions. Opening such files leads to the installation of a Trojan, which gives attackers the ability to remotely execute commands from the server and steal information stored on the device.

𝓲

Freepik

According to Tatyana Shishkova, a leading expert at Kaspersky GReAT, attackers use complex methods to hide their traces. Once installed, the Trojan removes the files that were used to deliver it and increases the file size by adding junk code and strings to make it harder to detect. In addition, after completing tasks, malicious code removes all used files, tools and registry keys to make it difficult to investigate the incident.

Experts associate this attack with the hacker group DeathStalker, which has been known for its activity since 2018. The group is self-employed and specializes in cyber espionage, including gathering financial and commercial information. According to experts, DeathStalker mainly attacks small and medium-sized businesses, fintech companies, as well as financial and legal organizations. Members of the group are highly qualified in the development of their own tools and have deep knowledge in the field of cyber threats.^[1]

Notes