‘Hired Gun’ Hackers and the PowerPepper Backdoor
Kaspersky Labs announced a new find regarding a new backdoor loaded into Windows RAM, developed by Hackers for Hire (HfH). The backdoor is capable of remotely executing malicious code and stealing confidential information.
The malware is called PowerPepper and is linked to the DeathStalker (DS) cybercriminal group (previously called the Deceptikons). DS members of this group have been targeting law firms and financial institutions in Europe and the Middle East going back to 2012. These cyber-criminals initiate their cyber-attacks through targeted phishing campaigns, by sending emails containing modified LNK files.
The reason for the name PowerPepper is the malware relies on steganographic trickeries to deliver the ‘fern’ or ‘pepper’ backdoor payload. The new type of malware is pulled via a fake Word document and then uses the DNS over TLS (DoT) protocol as a communication channel to transmit encrypted malicious shell commands from the C&C server. The emails use a array of subject line topics as lures; such as carbon footprint control, travel bookings, the current coronavirus (COVID-19) pandemic, and Word docs which have socially engineered ‘banners’ urging users to enable macros, resulting in a backdoor loading.
DeathStalker (a name reference to a popular video game) also uses various methods to avoid detection, in addition to using macros and LNK files to deploy malware. The most important point in PowerPepper is the ability to hide the malicious execution workflow in built-in forms and properties of Word objects, and to use Windows Compiled HTML Help files as archives for malware.
Researchers explain, "There is nothing particularly complicated in the methods and techniques used, but the entire toolbox has proven to be effective, is quite well-composed and demonstrates a determined effort to compromise various targets around the world."[1] DeathStalker is using numerous malware strains and delivery chains over the years, from the Python- and VisualBasic-based Janicab to the PowerShell-based PowerSing and the JavaScript-based Evilnum. Researchers warn, "The actor consistently used what we call 'dead-drop resolvers', which is obfuscated content hosted on major public web services like YouTube, Twitter or Reddit. Once decoded by malware this content reveals a command-and-control (C2) server address." DS’s malware has proven to be quite effective, perhaps because their primary targets are small and medium-sized organizations, organizations that tend to have less robust security programs."[2]
[1] https://www.securitylab.ru/news/514560.php
[2] https://www.bankinfosecurity.com/hacker-for-hire-group-deathstalker-implements-new-malware-a-15527
Comments