[BreachExchange] Hack-for-Hire Group 'DeathStalker' Uses New Backdoor in Recent Attacks

Thu Dec 10 10:25:39 EST 2020

https://www.securityweek.com/hack-hire-group-deathstalker-uses-new-backdoor-recent-attacks

Over the past several months, the “mercenary” advanced persistent
threat (APT) group known as DeathStalker has been using a new
PowerShell backdoor in its attacks, Kaspersky reports.

Active since at least 2012 but exposed only in August 2020,
DeathStalker is believed to be a cyber-mercenary organization
targeting small to medium-sized businesses in a dozen countries, based
on customer requests or perceived value.

Kaspersky’s security researchers, who have been tracking the group
since 2018, identified a previously unknown implant the group has been
using in attacks since mid-July. Dubbed PowerPepper, the malware has
been continuously used in attacks and is being constantly improved.

Targeting Windows systems, the in-memory implant can execute shell
commands sent by the remote attacker and attempts to evade detection
and execution in sandbox environments. It uses DNS over HTTPS (DoH) to
communicate with its command and control (C&C) server, and leverages
Cloudflare responders for that.

The C&C communication is encrypted and the malware uses the same
implementation of AES encryption as the previously detailed Powersing
backdoor. However, the AES padding mode is different and a function
input format has been changed.

The malware was observed regularly sending TXT-type DNS requests to
the name servers (NS) associated with its C&C domain name in order to
receive commands. It then sends back command execution results.

“On top of the DNS C2 communication logic, PowerPepper also signals
successful implant startup and execution flow errors to a Python
backend, through HTTPS. Such signaling enables target validation and
implant execution logging, while preventing researchers from
interacting further with the PowerPepper malicious C2 name servers,”
Kaspersky reports.

The security researchers also discovered that the Python backends were
being hosted on the public, legitimate hosting service PythonAnywhere
and worked with the service provider to take them down.

This prompted the operators to remove the feature from most
PowerPepper delivery documents and to add a compromised WordPress
domain that would serve as a reverse-proxy between implants and
backends.

PowerPepper is being delivered through malicious Word documents that
embed all of the items necessary for malware execution and setting up
persistence. In some instances, a Windows shortcut file is used for
delivery, with the chain leveraging malicious PowerShell scripts and
employing a Word document that acts strictly as a decoy.

PowerPepper has mainly been used against law and consultancy firms in
the United States, Europe, and Asia.

“The DeathStalker threat is definitely a cause for concern, with the
victimology for its various malware strains showing that any
corporation or individual in the world can be targeted by their
malicious activities, provided someone has decided they are of
interest and passed on the word to the threat actor,” Kaspersky
concludes.