Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant

Dec 10, 2022Ravie LakshmananHack-for-Hire / Threat Intelligence

Hack-for-Hire Group

Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe.

The attacks targeting law firms throughout 2020 and 2021 involved a revamped variant of a malware called Janicab that leverages a number of public services like YouTube as dead drop resolvers, Kaspersky said in a technical report published this week.

Janicab infections comprise a diverse set of victims located in Egypt, Georgia, Saudi Arabia, the UAE, and the U.K. The development marks the first time legal organizations in Saudi Arabia have been targeted by this group.

Also tracked as DeathStalker, the threat actor is known to deploy backdoors like Janicab, Evilnum, Powersing, and PowerPepper to exfiltrate confidential corporate information.


“Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles,” the Russian cybersecurity company noted in August 2020.

According to ESET, the hacking crew has a pattern of harvesting internal company presentations, software licenses, email credentials, and documents containing customer lists, investments and trading operations.

Earlier this year, Zscaler and Proofpoint uncovered fresh attacks orchestrated by Evilnum that have been directed against companies in the crypto and fintech verticals since late 2021.

Hack-for-Hire Group

Kaspersky’s analysis of the DeathStalker intrusions has revealed the use of an LNK-based dropper embedded inside a ZIP archive for initial access by means of a spear-phishing attack.

The lure attachment purports to be a corporate profile document related to power hydraulics that, when opened, leads to the deployment of the VBScript-based Janicab implant, which is capable of command execution and deploying more tools.

Newer versions of the modular malware have simultaneously removed audio recording features and added a keylogger module that shares overlaps with prior Powersing attacks. Other functions include…