The new Windows exploit targets businesses in US, Asia and Europe.
Security researchers at Kapersky Labs have published detailed descriptions of a new in-memory Windows malware that can execute remote code on target companies in Europe, Asia, and the US. Hackers use the backdoor exploit to steal sensitive data from targeted companies and organizations.
Kaspersky Lab researcher Pierre Delcher identified and described the new threat in a blog post. They have named the malware PowerPepper and attributed the credited to a hackers-for-hire group called DeathStalker.
PowerPepper is DeathStalker’s latest creation
DeathStalker APT group has been active since 2012 and previously targeted law firms and financial companies in Europe and the Middle East, according to Delcher.
The malefactors consistently use what Kapersky Labs call “dead-drop resolvers”. DDRs are content that resides furtively on major public web services like YouTube, Twitter or Reddit. Once decoded by malware this content reveals a command-and-control (C2) server address.
PowerPepper is a Windows in-memory PowerShell backdoor that can execute remotely sent shell commands. The hackers then use these commands to steal sensitive business information and do general reconnoitering of the target system.
The implant will try to evade detection or sandboxes execution with various tricks such as detecting mouse movements, filtering the client’s MAC addresses, and adapting its execution flow depending on detected antivirus products.
Hacker group are “definitely a cause for concern”
The DeathStalker/PowerPepper threat is definitely a cause for concern, explains Delcher. The victimology for its various malware strains shows that the group can target any corporation or individual in the world.
“Luckily for defenders, DeathStalker has, until now, relied on a rather limited set of techniques to design its delivery chains, and implementing counter-measures is an attainable goal for most organizations.”