DeathStalker APT Spices Things Up with PowerPepper Malware

powerpepper malware deathstalker

A raft of obfuscation techniques turn the heat up for the hacking-for-hire operation.

The DeathStalker advanced persistent threat (APT) group has a hot new weapon: A highly stealthy backdoor that researchers have dubbed PowerPepper, used to spy on targeted systems.

DeathStalker offers mercenary, espionage-for-hire services targeting the financial and legal sectors, according to researchers at Kaspersky. They noted that the group has been around since at least 2012 (first spotted in 2018), using the same set of relatively basic techniques, tactics and procedures (TTPs) and selling its services to the highest bidder. In November, though, the group was found using a new malware implant, with different hideout tactics.

“DeathStalker has leveraged several malware strains and delivery chains across the years, from the Python and VisualBasic-based Janicab, to the PowerShell-based Powersing, passing by the JavaScript-based Evilnum,” researchers said in a Thursday posting. “DeathStalker also consistently leveraged anti-detection and antivirus evasion techniques, as well as intricate delivery chains, that would drop lots of files on target’s file systems.”

This particular malware stands out, though, for upping the heat level on its evasion tactics.

Advanced Evasion Tactics

The freshly discovered backdoor spices things up on the obfuscation front by using DNS over HTTPS as a communication channel, in order to hide communications with command-and-control (C2) behind legitimate-looking traffic.

“PowerPepper regularly polls the C2 server for commands to execute,” according to researchers. “In order to do so, the implant sends TXT-type DNS requests (with DoH or plain DNS requests if the later fails) to the name servers (NS) that are associated with a malicious C2 domain name…the server replies with a DNS response, embedding an encrypted command.”

PowerPepper’s main features. Source: Kaspersky.

PowerPepper also adds steganography to the list of evasion techniques, which is the practice of hiding data inside images. In this case, the malicious code is embedded in what appears to be regular pictures of ferns or peppers (hence the name), and it is then extracted by a loader script. The loader is disguised as a verification tool from identity services provider GlobalSign.

And, it uses custom obfuscation, with parts of its malicious delivery scripts hidden in Word-embedded objects, researchers said: “Communications with the implant and servers are encrypted and, thanks to the use of trusted, signed scripts, antivirus software won’t necessarily recognize the implant as malicious at startup.”

Other tactics for evasion, like mouse movement detection, client MAC address filtering, Excel application handling and antivirus products inventory round out its bag of tricks.

Peppering Companies with Espionage

PowerPepper was cultivated to execute remote shell commands sent by DeathStalker operators, which are aimed at stealing sensitive business information.

Targeted geographies in 2020. Source: Kaspersky.

The commands cover the spycraft gamut, including those for gathering the computer’s user and file information, browsing network file shares, downloading additional binaries or copying content to remote locations.

PowerPepper is typically spread via spearphishing emails with the malicious files delivered via the email body or within a malicious link, as is typical for DeathStalker. Kaspersky has observed lures related to international events, carbon-emission regulations and the pandemic, with emails hitting Europe primarily, but also in the Americas and Asia. The primary targets for PowerPepper so far are small and medium-sized organizations – organizations that tend to have less robust security programs.

“PowerPepper once again proves that DeathStalker is a creative threat actor: one capable of consistently developing new implants and toolchains in a short period of time,” said Pierre Delcher, security expert at Kaspersky, in a statement. “PowerPepper is already the fourth malware strain affiliated with the actor, and we have discovered a potential fifth strain. Even though they are not particularly sophisticated, DeathStalker’s malware has proven to be quite effective.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and other security experts, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles