Sophisticated cyber attacks are increasingly in the spotlight, and DeathStalker is a known APT hacking group which first came to limelight through a PowerShell-based implant called Powersing back to 2018.

According to Kaspersky researchers, there is a previously undiscovered in-memory Windows backdoor, dubbed "PowerPepper" developed by the Advanced Persistent Threat (APT) Group that can execute malicious code remotely and steal sensitive information from targets in Europe, Asia, and the United States.

The "PowerPepper" in-memory backdoor hacking tool is so-called because of reliance on steganographic trickery to push out backdoor payload in the form of image of ferns or peppers.

DeathStalker, however don’t steal these sensitive information to resell it, neither do they engage in any type of activity associated with the cybercrime groups operating underworld.

How the PowerPepper malware expands the Hackers' toolsets



PowerPepper malware was first spotted in the wild in July 2020, which as a new strain of malware is dropped from Word documents and leverages DoH (DNS over HTTPS) as a communications channel to transmit malicious shell commands from an attacker-controlled server.



The Word documents have social engineering banners luring users to enable macros in a bid to downloading the backdoor, while the spear-phishing emails come with different themes as varied as travel booking, and even the ongoing corona-virus pandemic.

In turn, DNS requests are sent to name servers associated with a malicious C2 domain, which then sends back the command to be run in form of an embedded response, and on execution, the results are relayed to the server via a batch of DNS requests.

How to Mitigate against the "PowerPepper" in-memory malware



The PowerPepper toolset has proved to be effective, and it's pretty well put together, with determined efforts to compromise any targets from around the world.

Therefore, it is recommended that personal users and businesses should update their CMS backends and associated plugins, also restrict PowerShell use on end-user computers with enforced policies, and refrain from opening attached files or clicking links in emails from unknown senders to safeguard against PowerPepper delivery and execution.

APT hacking group, DeathStalker unleash "PowerPepper" in-memory malware

Sophisticated cyber attacks are increasingly in the spotlight, and DeathStalker is a known APT hacking group which first came to limelight through a PowerShell-based implant called Powersing back to 2018.

According to Kaspersky researchers, there is a previously undiscovered in-memory Windows backdoor, dubbed "PowerPepper" developed by the Advanced Persistent Threat (APT) Group that can execute malicious code remotely and steal sensitive information from targets in Europe, Asia, and the United States.

The "PowerPepper" in-memory backdoor hacking tool is so-called because of reliance on steganographic trickery to push out backdoor payload in the form of image of ferns or peppers.

DeathStalker, however don’t steal these sensitive information to resell it, neither do they engage in any type of activity associated with the cybercrime groups operating underworld.

How the PowerPepper malware expands the Hackers' toolsets



PowerPepper malware was first spotted in the wild in July 2020, which as a new strain of malware is dropped from Word documents and leverages DoH (DNS over HTTPS) as a communications channel to transmit malicious shell commands from an attacker-controlled server.



The Word documents have social engineering banners luring users to enable macros in a bid to downloading the backdoor, while the spear-phishing emails come with different themes as varied as travel booking, and even the ongoing corona-virus pandemic.

In turn, DNS requests are sent to name servers associated with a malicious C2 domain, which then sends back the command to be run in form of an embedded response, and on execution, the results are relayed to the server via a batch of DNS requests.

How to Mitigate against the "PowerPepper" in-memory malware



The PowerPepper toolset has proved to be effective, and it's pretty well put together, with determined efforts to compromise any targets from around the world.

Therefore, it is recommended that personal users and businesses should update their CMS backends and associated plugins, also restrict PowerShell use on end-user computers with enforced policies, and refrain from opening attached files or clicking links in emails from unknown senders to safeguard against PowerPepper delivery and execution.

No comments