APT actor DeathStalker attacks users in Germany and Switzerland. Target of the actor: companies in the financial and legal sector. New backdoor “PowerPepper” uses various obfuscation techniques.
Advanced Persistent Threat (APT) actor DeathStalker is now believed to be offering hacking-for-hire services to steal confidential business information from companies in the financial and legal sectors. The Kaspersky experts have now identified new activities on the part of the actor and discovered a new malware implantation and deployment tactic: the PowerPepper backdoor uses DNS over HTTPS as a communication channel to hide the communication behind legitimate control server name queries. In addition, PowerPepper uses various obfuscation techniques such as steganography.
Especially SMEs in their sights
DeathStalker is a very unusual APT actor. The group, which has been active since at least 2012, has carried out espionage campaigns against small and medium-sized enterprises such as law firms or representatives of the financial sector. In contrast to other APT groups, DeathStalker does not seem to be politically motivated or to seek financial profit from the attacked companies. Rather, the backers act as mercenaries and offer their hacking services for a fee.
Kaspersky researchers have now uncovered a new malicious campaign by the group, the backdoor PowerPepper. Like other DeathStalker malware, PowerPepper is commonly spread via spear phishing emails, with malicious files being transmitted in the email text or within a malicious link. To this end, the group used international events, regulations on CO2 emissions and the corona pandemic to get its victims to open the harmful documents.
Steganography as a camouflage
The main malicious payload is cloaked using steganography, which allows the attackers to hide data amidst legitimate content. In the case of PowerPepper, the malicious code is embedded in seemingly normal images of ferns or peppers (see English “pepper” for naming) and then extracted by a loader script. After that, PowerPepper starts executing remote shell commands it receives from the DeathStalker actors which aim to steal sensitive business information. The malware can execute any shell command on the target system, including standard data reconnaissance ones, such as collecting computer user and file information, browsing network file shares, and downloading additional binaries or copying content to remote locations. Commands are retrieved from the control server using DNS over HTTPS communication - an effective method of hiding malicious communications behind legitimate server name queries.
More on this on SecureList from Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/