Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hack-for-Hire Group ‘DeathStalker’ Uses New Backdoor in Recent Attacks

Over the past several months, the “mercenary” advanced persistent threat (APT) group known as DeathStalker has been using a new PowerShell backdoor in its attacks, Kaspersky reports.

Over the past several months, the “mercenary” advanced persistent threat (APT) group known as DeathStalker has been using a new PowerShell backdoor in its attacks, Kaspersky reports.

Active since at least 2012 but exposed only in August 2020, DeathStalker is believed to be a cyber-mercenary organization targeting small to medium-sized businesses in a dozen countries, based on customer requests or perceived value.

Kaspersky’s security researchers, who have been tracking the group since 2018, identified a previously unknown implant the group has been using in attacks since mid-July. Dubbed PowerPepper, the malware has been continuously used in attacks and is being constantly improved.

Targeting Windows systems, the in-memory implant can execute shell commands sent by the remote attacker and attempts to evade detection and execution in sandbox environments. It uses DNS over HTTPS (DoH) to communicate with its command and control (C&C) server, and leverages Cloudflare responders for that.

The C&C communication is encrypted and the malware uses the same implementation of AES encryption as the previously detailed Powersing backdoor. However, the AES padding mode is different and a function input format has been changed.

The malware was observed regularly sending TXT-type DNS requests to the name servers (NS) associated with its C&C domain name in order to receive commands. It then sends back command execution results.

“On top of the DNS C2 communication logic, PowerPepper also signals successful implant startup and execution flow errors to a Python backend, through HTTPS. Such signaling enables target validation and implant execution logging, while preventing researchers from interacting further with the PowerPepper malicious C2 name servers,” Kaspersky reports.

The security researchers also discovered that the Python backends were being hosted on the public, legitimate hosting service PythonAnywhere and worked with the service provider to take them down.

Advertisement. Scroll to continue reading.

This prompted the operators to remove the feature from most PowerPepper delivery documents and to add a compromised WordPress domain that would serve as a reverse-proxy between implants and backends.

PowerPepper is being delivered through malicious Word documents that embed all of the items necessary for malware execution and setting up persistence. In some instances, a Windows shortcut file is used for delivery, with the chain leveraging malicious PowerShell scripts and employing a Word document that acts strictly as a decoy.

PowerPepper has mainly been used against law and consultancy firms in the United States, Europe, and Asia.

“The DeathStalker threat is definitely a cause for concern, with the victimology for its various malware strains showing that any corporation or individual in the world can be targeted by their malicious activities, provided someone has decided they are of interest and passed on the word to the threat actor,” Kaspersky concludes.

Related: Hack-for-Hire Group Targets Financial Sector Since 2012

Related: Threat Actor Sold Access to Networks of 135 Organizations

Related: Evilnum Group Targets Fintech Companies in Europe

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.