Security researchers from Kaspersky have discovered a new variety malware Developed by the DeathStalker hacker group that has been designed to avoid detection on Windows PC.
While the threat actor has been active since at least 2012, DeathStalker first came to the attention of Kaspersky in 2018 due to its distinctive attack characteristics that did not resemble those employed by cybercriminals or state-sponsored hackers. .
The group is known for using a wide range of malware strains and complex distribution chains in its attacks, but the tactics used to evade detection are what really make it stand out.
- We have compiled a list of the best antivirus software available
- Keep your devices virus free with the best software malware removal
- Also see our roundup of the best endpoint protection software
Kaspersky discovered DeathStalker's new PowerPepper implant in May of this year while investigating other attacks using the group's PowerShell-based Powersing implant. Since its discovery, the group has developed and implemented new versions of PowerPepper, which also adapted the distribution chains of the malware to achieve new goals.
The new PowerPepper malware is a Windows PowerShell-based in-memory backdoor that has the ability to allow its operators to execute shell commands remotely from a command-and-control (C2) server.
As is the case in DealthStalker's previous work, PowerPepper attempts to evade detection or execution of sandboxes in Windows 10 using various tricks such as detecting mouse movements, filtering a client's MAC addresses, and adapting its flow of execution depending on which antivirus products are on. installed on a target system. . Malware spreads via spear phishing email attachments or via links to documents containing malicious Visual Basic for Applications (VBA) macros that run PowerPepper and gain persistence on infected systems.
PowerPepper also uses a number of delivery chain evasion tricks such as hiding payloads in Word's embedded shape properties, using Windows Compiled HTML (CHM) files as files for malicious files, masking and obfuscating persistent files, hiding payloads within images using steganography, get lost in Windows shell commands translation and execution through a signed binary proxy execution.
Kaspersky's Pierre Delcher provided more information on how PowerPepper communicates with its C2 server in a new report, saying:
“The C2 logic of the implant stands out, which is based on communications via DNS over HTTPS (DoH), using CloudFlare responders. PowerPepper first tries to leverage Microsoft's Excel as a web client to send DoH requests to a C2 server, but it will fall back to the standard PowerShell web client and ultimately to regular DNS communications if messages cannot get through. "
To avoid falling victim to PowerPepper, users should avoid opening attachments or clicking links in emails from unknown senders, as well as enabling macros in documents from unverified sources.