Researchers have recently detected a new malware “PowerPepper” activity from DeathStalker. It is the advanced persistent threat (APT) actor, recognized for contributing hacking-for-hire services.
The threat actors are targeting the companies in the financial and legal sectors. DeathStalker is a threat actor that’s been running since 2012.
Recently, Kaspersky has exposed most of their past actions in a previous article. However, this group was discovered using a new malware that has implanted and delivery tactics, including a backdoor Kaspersky that has been dubbed as PowerPepper.
PowerPepper implant
The experts affirmed that PowerPepper is a Windows in-memory PowerShell backdoor that can perform all remotely sent shell commands. DeathStalker has a tradition; it has an implant that tries to avoid all kinds of detection or sandboxes performance along with several tricks.
The tricks are quite complex; it has a trick like catching mouse movements, cleaning the client’s MAC addresses, and modifying its execution flow depending on recognized antivirus products.
DNS command and control
PowerPepper annually examines a C2 server for different commands to execute, and to perform all these commands, it implant sends TXT-type DNS requests to the name servers (NS) that are correlated with an ill-disposed C2 domain name.
In case the target that runs in the implant command is validated, then the server answers with a DNS response, inserting an encrypted command.
However, both the requests and replies carry exemplars that can be recognized with network interference detection systems. But all these patterns get changed with the implant variants.
Signaling & Target Validation
PowerPepper also indicates all the successful implant startup and performance flow errors to a Python backend through HTTPS. The experts asserted that this kind of signal allows target validation and implant execution logging.
Moreover, it also prevents researchers from communicating further with the PowerPepper malicious C2 name servers. But, all these signals of Python backends were entertained on a public and authorized content for hosting all the web service named PythonAnywhere that enables the users to build their websites.
PowerPepper Delivery Chains
The very first delivery chain was detected in July 2020 and is based on an ill-disposed Word document. However, this infection chain altered slightly between July and November 2020. And some of them have dropped file names that have desegregated code or remote links modified, but in all the cases, the logic stayed alike. So, in total, there are two chains, and here they are:-
- The macro-based delivery chain
- The LNK-based delivery chain
PowerPepper Tricks
PowerPepper trick has a total of 6 tricks, and here we have mentioned below:-
- Cover things in Word embedded shape traits.
- Uses Windows Compiled HTML Help (CHM) files as archives for ill-disposed files.
- Masquerade and obscure persistent files.
- Hides all implant between two ferns.
- It gets lost in Windows shell command translation.
- Kick start it all with a signed binary proxy execution.
Geography of PowerPepper’s targets
It’s tough to have a comprehensive view of all PowerPepper’s targets, but experts are tracking this implant since May 2020. The cybersecurity experts have managed to get an influenced view of all the targeted countries before August 2020, as well as on November 2020.
Mitigations
- Content hosts can automatically scan hosted files for ill-disposed content, where regulations permit.
- Website owners and editors require to frequently and responsively update their CMS backends as well as associated plugins.
- Enterprise IT services need to restrain script engine use on end-user computers with required execution policies.
- Individuals should never start Windows shortcuts that were downloaded from a distant location or attached to an email.
Apart from this, the DeathStalker is growing day by day, and it’s becoming very challenging for the security experts to recognize these attacks. However, experts are trying their best to avoid this kind of threat.
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.
Also Read: FireEye Hacked – Sophisticated State-Sponsored Hackers Stole FireEye Red Team tools
