PowerPepper Malware Description
PowerPepper is a new backdoor malware threat observed as part of the operations of an advanced persistent threat (APT) group named DeathStalker. This particular APT is believed to acting as a mercenary and offering its services to the highest bidder. The group was first detected in 2018 but is believed to have been established far earlier. The hackers from DeathStalker specialize mostly in carrying out espionage and data-theft campaigns targeting entities from Europe. However, DeathStalker victims from North and South America, as well as Asia, also have been identified. The group's malware toolkit consists of comparatively not that sophisticated threats but exhibits high levels of efficacy.
PowerPepper fits that description quite nicely. The threat is capable of potent backdoor activities as it can execute remote shell commands received from its Command-and-Control (C&C, C2) infrastructure. The threat can execute a wide range of espionage functions on the compromised machine, including the harvest of various user and file information, browsing network file shares, fetching additional corrupted binaries, and exfiltrating data C2 infrastructure. The initial compromise vector is believed to be the distribution of spear-phishing emails. The initial malware files can either be attached to the body of the email or hidden behind corrupted links.
The most impressive aspect of PowerPepper is the multitude of evasion techniques it has at its disposal. First, it skips HTTPS and instead uses DNS as a communication channel with its C2 servers. The malware sends TXT-type DNS requests and, in return, received a DNS response with an embedded encrypted command. PowerPepper also takes advantage of a steganography technique - parts of the corrupted code of the threat are hidden inside seemingly innocuous image files. The ones used by the threat depict either ferns or peppers (the reason for the name given to this particular backdoor). The loader script tasked with extracting the information from the image files is, in turn, masquerading as a verification tool from GlobalSign, an identity service provider.
In addition, PowerPepper employs custom obfuscation, encrypted communication, and leverages signed scripts that could fool anti-malware software. DeathStalker also has equipped their new backdoor tool to filter client MAC addresses, Excel application handling, and a function responsible for detecting mouse movement.