The cyber mercenaries group known as DeathStalker has been using a new PowerShell backdoor in recent attacks.
DeathStalker is a hack-for-hire group discovered by Kaspersky, it has been targeting organizations worldwide, mainly law firms and financial entities, since 2012. Victim organizations are small and medium-sized businesses located in Argentina, China, Cyprus, India, Israel, Lebanon, Switzerland, Russia, Taiwan, Turkey, the United Kingdom and the United Arab Emirates.
Kaspersky experts identified a previously unknown backdoor, dubbed PowerPepper, that the group has been using in attacks since mid-July.
“PowerPepper is a Windows in-memory PowerShell backdoor that can execute remotely sent shell commands.” reads the analysis published by Kaspersky. “In strict accordance with DeathStalker’s traditions, the implant will try to evade detection or sandboxes execution with various tricks such as detecting mouse movements, filtering the client’s MAC addresses, and adapting its execution flow depending on detected antivirus products.”
The fileless Windows implant is being constantly improved by the mercenaries, it allows operators to execute shell commands. The backdoor uses multiple tricks to evade detection and leverages DNS over HTTPS (DoH) to communicate with its C2 server, using Cloudflare responders.
PowerPepper has mainly been used against law and consultancy firms in the United States, Europe, and Asia.
The C&C communication is encrypted, experts noticed that the implant uses the same implementation of AES encryption as the Powersing backdoor, with a unique difference in the AES padding mode and a function input format.
PowerPepper regularly polls a C2 server for new commands to execute, the mechanism is implemented by regularly sending TXT-type DNS requests to the name servers (NS) associated with its C&C domain name, that in turn sends the commands. Once executed the command, the malware the malicious code sends back command execution results.
“On top of the DNS C2 communication logic, PowerPepper also signals successful implant startup and execution flow errors to a Python backend, through HTTPS. Such signaling enables target validation and implant execution logging, while preventing researchers from interacting further with the PowerPepper malicious C2 name servers,” Kaspersky reports.
Kaspersky discovered that the Python backends were being hosted on the public, legitimate hosting service PythonAnywhere, the security firm worked with the service provider to take them down.
The PowerPepper attack chain is being delivered through weaponized Word documents distributed through spear-phishing messages.
The malicious item is either embedded as a spear-phishing email body, or downloaded from a malicious link the spear-phishing email. Experts pointed out that the infection chain varied slightly between July and November 2020.
In some attacks, threat actors used a Windows shortcut file to deliver the implant.
Additional technical details about the new backdoor used by DeathStalker are provided in the report published by Kaspersky, including Indicators of Compromise.
“The DeathStalker threat is definitely a cause for concern, with the victimology for its various malware strains showing that any corporation or individual in the world can be targeted by their malicious activities, provided someone has decided they are of interest and passed on the word to the threat actor,” Kaspersky concludes.
(SecurityAffairs – hacking, backdoor)