While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky’s attention back in 2018 because of its distinctive attack characteristics which didn’t resemble those employed by cybercriminals or state-sponsored hackers.
The group is known for using a wide range of malware strains and complex delivery chains in its attacks but the tactics used to evade detection are what really make it stand out.
Kaspersky discovered DeathStalker’s new PowerPepper implant in May of this year while conducting research into other attacks that utilized the group’s PowerShell-based Powersing implant. Since its discovery, new versions of PowerPepper have been developed and deployed by the group which also adapted the malware’s delivery chains to reach new targets.
The new PowerPepper malware is an in-memory Windows PowerShell-based backdoor that has the capability to allow its operators to execute shell commands remotely from a command-and-control (C2) server.
As is the case with DealthStalker’s previous work, PowerPepper tries to evade detection or sandboxes execution on Windows 10 using various tricks such as detecting mouse movements, filtering a client’s MAC addresses and adapting its execution flow depending on which antivirus products are installed on a target system. The malware is spread via spear phishing email attachments or by links to documents that contain malicious Visual Basic for Application (VBA) macros that execute PowerPepper and gain persistence on infected systems.
PowerPepper also uses a number of delivery chain evasion tricks such as hiding payloads in Word embedded shapes properties, using Windows Compiled HTML (CHM) files as archives for malicious files, masquerading and obfuscating persistent files, hiding payloads within images using steganography, getting lost in Windows shell commands translation and executing via a signed binary proxy execution.
Kaspersky’s Pierre Delcher provided further insight on how PowerPepper communicates with its C2 server…