There is a new Trojan designed to help attackers recruit insiders within their targeted organizations.
This insider threat Trojan, called “Delilah,” uses social engineering and extortion, including ransomware techniques, to recruit insiders, said Avivah Litan, vice president and analyst at Gartner Research, who gathered the information from Israel-based threat intelligence firm Diskin Advanced Technologies (DAT).
The Trojan, often delivered through adult and gaming websites, collects personal information that could allow attackers to manipulate or blackmail the targeted individual.
In addition to personal information on the victim’s workplace and family, Delilah is capable of capturing video from the targeted user’s webcam.
Victims end up instructed to use VPNs and the Tor anonymity network, and delete their browsing history, most likely in an effort to avoid leaving any evidence that could turn up during an audit.
The Trojan remains closely held and is not yet available on the common black market, and is only shared amongst closed hacker groups, DAT researchers said.
Litan said the Trojan currently sees action in closed groups. The malware appears to be under development as it has several bugs, including error messages when the webcam plugin ends up used and long system freezes.
Researchers said use of Delilah still involves a high level of manual work to identify and prioritize potential victims. However, the Trojan’s developers offer managed social engineering and fraud services for customers who need help with these tasks.
“Surely, to combat Delilah and similar bots, it is especially important to collect and analyze endpoint data and information on VPN usage and TOR connections,” Litan said in a blog post.
“Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web,” she said. “With Trojans like Delilah, organizations should expect insider recruitment to escalate further and more rapidly. This will only add to the volume of insider threats caused by disgruntled employees selling their services on the Dark Web in order to harm their employers.”