Hacker-for-Hire Group DeathStalker Implements New MalwarePowerPepper Backdoor Targets Smaller Firms
The hacker-for-hire group DeathStalker, known for conducting espionage campaigns against small and medium-sized businesses, has started using a new malware strain called PowerPepper, according to a report from the security firm Kaspersky.
PowerPepper, a backdoor, is used to remotely take control of victims’ devices, says Pierre Delcher, a security expert at Kaspersky. The backdoor leverages DNS over HTTPS as a communication channel to hide communications with the control server behind legitimate-looking traffic.
Delcher says PowerPepper uses several evasion techniques, including steganography.
"There is nothing particularly sophisticated about the techniques and tricks that are leveraged, yet the whole toolset has proved to be effective, is pretty well put together, and shows determined efforts to compromise various targets around the world," he says in a report on Securelist.
DeathStalker leases its hacking services, rather than attempting to make money directly from its targets, Kaspersky reports. The group has been active since 2012, and Kaspersky has been tracking its activities since 2018. Over the past two years, researchers have found that the group has expanded its efforts to target organizations throughout the world.
"PowerPepper once again proves that DeathStalker is a creative threat actor, one capable of consistently developing new implants and toolchains in a short period of time," Kaspersky says.
Like other malware strains associated with the group, PowerPepper is spread through spear-phishing emails, with the malicious files delivered inside the email body or within a malicious link, Kaspersky says.
The malicious code is embedded in what appear to be pictures of ferns or peppers - hence the name - and is then extracted by a loader script, Delcher says on Securelist.
"The group has exploited international events, carbon emission regulations, and even the pandemic to trick their victims into opening the malicious documents," Kaspersky says.
The loader is disguised as a verification tool from identity services provider GlobalSign, according to Kaspersky. The malware uses custom obfuscation, and parts of the malicious delivery scripts are hidden in Microsoft Word-embedded objects.
"The malware can carry out any shell command on the targeted system, including those for standard data reconnaissance, such as gathering the computer's user and file information, browsing network file shares, and downloading additional binaries or copy content to remote locations," Kaspersky reports.
"The implant will try to evade detection or sandboxes execution with various tricks, such as detecting mouse movements, filtering the client's MAC addresses, and adapting its execution flow depending on detected antivirus products," Delcher says.
Kaspersky researchers also found that these commands are obtained from the control server through DNS over HTTPS communications, an effective way to disguise malicious communications behind legitimate server name queries.
"Communications with the implant and servers are encrypted and, thanks to the use of trusted, signed scripts, antivirus software won't necessarily recognize the implant as malicious at startup," Kaspersky notes.
"The actor consistently used what we call ‘dead-drop resolvers’, which is obfuscated content hosted on major public web services like YouTube, Twitter or Reddit,” Delcher says. “Once decoded by malware this content reveals a command-and-control (C2) server address" (See: APT Group Targets Fintech Companies).
“DeathStalker's malware has proven to be quite effective, perhaps because their primary targets are small and medium-sized organizations - organizations that tend to have less robust security programs,” Kaspersky says.