Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.
While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky’s attention back in 2018 because of its distinctive attack characteristics which didn’t resemble those employed by cybercriminals or state-sponsored hackers.
The group is known for using a wide range of malware strains and complex delivery chains in its attacks but the tactics used to evade detection are what really make it stand out.
Kaspersky discovered DeathStalker’s new PowerPepper implant in May of this year while conducting research into other attacks that utilized the group’s PowerShell-based Powersing implant. Since its discovery, new versions of PowerPepper have been developed and deployed by the group which also adapted the malware’s delivery chains to reach new targets.
The new PowerPepper malware is an in-memory Windows PowerShell-based backdoor that has the capability to allow its operators to execute shell commands remotely from a command-and-control (C2) server.
As is the case with DealthStalker’s previous work, PowerPepper tries to evade detection or sandboxes execution on Windows 10 using various tricks such as detecting mouse movements, filtering a client’s MAC addresses and adapting its execution flow depending on which antivirus products are installed on a target system. The malware is spread via spear phishing email attachments or by links to documents that contain malicious Visual Basic for Application (VBA) macros that execute PowerPepper and gain persistence on infected systems.
PowerPepper also uses a number of delivery chain evasion tricks such as hiding payloads in Word embedded shapes properties, using Windows Compiled HTML (CHM) files as archives for malicious files, masquerading and obfuscating persistent files, hiding payloads within images using steganography, getting lost in Windows shell commands translation and executing via a signed binary proxy execution.
Kaspersky’s Pierre Delcher provided further insight on how PowerPepper communicates with its C2 server in a new report, saying:
“The implant’s C2 logic stands out, as it is based on communications via DNS over HTTPS (DoH), using CloudFlare responders. PowerPepper first tries to leverage Microsoft’s Excel as a Web client to send DoH requests to a C2 server, but will fall back to PowerShell’s standard web client, and ultimately to regular DNS communications, if messages cannot get through.”
In order to avoid falling victim to PowerPepper, users should avoid opening attachments or clicking on links in emails from unknown senders as well as enabling macros in documents from unverified sources.