Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12:45 PM
Dark Reading
Dark Reading
Products and Releases

Infamous Hacker-for-Hire Group DeathStalker Hits the Americas & Europe With New PowerPepper Malware

Woburn, MA – December 3, 2020 – Kaspersky researchers have spotted new malware activity in the wild from DeathStalker, the advanced persistent threat (APT) actor known for offering hacking-for-hire services targeting companies in the financial and legal sectors. The group was found using a new malware implant and delivery tactics involving a backdoor Kaspersky has dubbed PowerPepper.

The backdoor is used to remotely take control of victim devices. It leverages DNS over HTTPS as a communication channel, in order to hide communications with the control server behind legitimate-looking traffic. PowerPepper also uses several evasion techniques, including steganography, a method for disguising data.

DeathStalker is a highly unusual APT actor. Active since at least 2012, the group conducts espionage campaigns against small and medium-sized businesses, particularly law firms and financial services organizations. Unlike other APT groups, it doesn’t appear to be politically motivated or seek financial gain from the companies they target. Rather, they act as mercenaries, offering their hacking services for a price.

Kaspersky researchers have recently uncovered new malicious campaigns from DeathStalker.  Like other malware strains associated with the group, PowerPepper is typically spread via spearphishing emails with the malicious files delivered via the email body or within a malicious link. The group has exploited international events, carbon emission regulations, and even the pandemic to trick their victims into opening the malicious documents.

The main malicious payload is disguised using steganography, a process that allows attackers to hide data amid legitimate content. In the case of PowerPepper, the malicious code is embedded in what appears to be regular pictures of ferns or peppers (hence the name) and is then extracted by a loader script. Once that happens, PowerPepper begins to execute remote shell commands sent by DeathStalker operators, which are aimed at stealing sensitive business information. The malware can carry out any shell command on the targeted system, including those for standard data reconnaissance, such as gathering the computer’s user and file information, browsing network file shares, and downloading additional binaries or copy content to remote locations. The commands are obtained from the control server though DNS over HTTPS communications, an effective way to disguise malicious communications behind legitimate server name queries.

The use of steganography is just one of several obfuscation and evasion techniques employed by the malware. The loader is disguised as a verification tool from identity services provider GlobalSign. It uses custom obfuscation, and parts of the malicious delivery scripts are hidden in Word-embedded objects. Communications with the implant and servers are encrypted and, thanks to the use of trusted, signed scripts, antivirus software won’t necessarily recognize the implant as malicious at startup.  

PowerPepper has been seen in attacks across Europe primarily, but also in the Americas and Asia. In previously described campaigns, DeathStalker mainly targeted law consultancy firms and organizations that provide financial or cryptocurrency services.

“PowerPepper once again proves that DeathStalker is a creative threat actor: one capable of consistently developing new implants and toolchains in a short period of time,” said Pierre Delcher, security expert at Kaspersky. “PowerPepper is already the fourth malware strain affiliated with the actor, and we have discovered a potential fifth strain. Even though they are not particularly sophisticated, DeathStalker’s malware has proven to be quite effective, perhaps because their primary targets are small and medium-sized organizations—organizations that tend to have less robust security programs. We expect DeathStalker to remain active, and we will continue to monitor its campaigns.”

PowerPepper was part of the most recent GReAT Ideas: Powered by Croissant. Baguette Edition. You can watch the recording, as well as other presentations on the latest threat developments by Kaspersky’s top-level experts here:   

Read more about PowerPepper and its evasion techniques at Securelist.

To protect your organizations from attacks like PowerPepper, Kaspersky experts recommend: 

  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
  • To minimize the risk of infection through phishing emails, companies should educate their employees with basic cybersecurity hygiene training to be wary of emails from unknown senders. If they receive such letters, they shouldn’t open attachments or click any links in them before making sure the letter is legitimate.
  • To protect medium-sized businesses from such advanced attacks, it’s better to use endpoint security solutions with EDR functionality. Kaspersky’s Integrated Endpoint Security solution detects an attack and provides a wide range of response actions optimized for IT and security teams of mid-sized companies.

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-25
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS s...
PUBLISHED: 2021-02-25
A flaw was found in keylime 5.8.1 and older. The issue in the Keylime agent and registrar code invalidates the cryptographic chain of trust from the Endorsement Key certificate to agent attestations.
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...
PUBLISHED: 2021-02-25
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.