Cybersecurity Experts Uncover New Windows Backdoor Tied to DeathStalker Group
Cybersecurity researchers announced on Thursday the discovery of an in-memory Windows backdoor, named “PowerPepper,” linked to a hacker-for-hire collective. This sophisticated malware is capable of executing malicious code remotely and extracting sensitive information from targets across Asia, Europe, and the United States.
Kaspersky researchers attributed PowerPepper to the DeathStalker group, previously known as Deceptikons. This threat actor has been active since at least 2012, primarily targeting law firms and financial institutions in Europe and the Middle East. The moniker “PowerPepper” is derived from the malware’s use of steganographic techniques to conceal its backdoor payload within seemingly innocuous images, such as those of ferns or peppers.
The DeathStalker group’s tactics were first identified earlier this July, revealing a modus operandi that typically begins with spear-phishing emails containing maliciously altered LNK files. If users click on these links, they inadvertently download a PowerShell-based implant dubbed Powersing. Kaspersky’s analysis indicates that despite the group’s lack of explicit financial motives, their ongoing interest in gathering critical business intelligence suggests a role as mercenaries or information brokers within financial sectors.
PowerPepper enhances the group’s growing arsenal of tools, having been detected in the wild mid-July 2020. The malware is delivered via a decoy Word document and establishes a communications channel using DNS over HTTPS (DoH) to receive and execute encrypted malicious commands from an attacker-controlled server. The spear-phishing emails that precede the attack cover diverse topics, including carbon emission regulations and travel bookings, often exploiting the ongoing pandemic to create urgency that lures unsuspecting users into enabling macros and downloading the backdoor.
Upon further investigation, analysts found that PowerPepper employs DNS requests to interact with a malicious command-and-control (C2) server. By embedding its commands in responses, the malware can execute actions covertly and relay results back through DNS requests. This multi-layered approach to command execution showcases the group’s commitment to obfuscation, employing various strategies such as hiding its malicious activities within Word document properties and utilizing Windows Compiled HTML Help (CHM) files for archive purposes.
Multiple mercenary hacking groups have emerged in recent years, including BellTroX, Bahamut, and CostaRicto. All have demonstrated proficiency in utilizing bespoke malware to infiltrate systems of financial institutions and government personnel. According to Kaspersky expert Pierre Delcher, DeathStalker’s innovative approaches with PowerPepper reflect their determined efforts to breach targets worldwide. Though the techniques themselves may not be particularly advanced, their cohesive execution highlights the threat posed by the group.
Given the constant evolution of cyber threats, businesses are urged to bolster their cybersecurity measures. Updates to content management system (CMS) backends and associated plugins are essential, as is restricting PowerShell usage on end-user machines. Additionally, employees should be cautioned against opening Windows shortcut files or engaging with emails from unfamiliar sources.
As incidents of malware continue to proliferate, understanding the tactics associated with PowerPepper through the MITRE ATT&CK framework remains critical. Initial access through spear-phishing, persistence via malicious document delivery, and the obfuscation techniques demonstrated by DeathStalker serve as reminders of the necessity for vigilance in today’s digital landscape.
