IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Businesses told to guard against PowerPepper Windows exploit

DeathStalker hacking group is using the in-memory backdoor to steal sensitive data

A pile of red chilli peppers on a wooden board

Security researchers have revealed details of a new in-memory Windows backdoor developed by hackers for hire that can execute remote code on targets in Europe, Asia, and the US to steal sensitive data.

This new malware, dubbed PowerPepper, has been credited to hackers-for-hire group DeathStalker. This APT group has been active since 2012 and previously targeted law firms and financial companies in Europe and the Middle East, according to Kaspersky Lab researcher Pierre Delcher.

In a blog post, Delcher said that the new backdoor is designed to execute remote shell commands. The malware will try to evade detection with various tricks, such as detecting mouse movements, filtering the client’s MAC addresses, and adapting its execution flow depending on detected antivirus products.

To launch an attack, DeathStalker usually relies on spear-phishing emails with attachments, or links to public file-sharing services, as well as script execution based on Windows shortcuts. The emails usually involve topics such as carbon emission regulations, travel booking, and the coronavirus pandemic.

The main payload of the malware is hidden in obfuscated content hosted on major public web services like YouTube, Twitter or Reddit; once decoded by malware, this content reveals a command-and-control (C2) server address. The malware also appears to be hidden in a picture of a bunch of peppers, which is where it gets its name.

A loader script extracts the malicious code and, once executed, PowerPepper begins to execute remote shell commands sent by the hackers. These commands are used to steal sensitive business information and carry out reconnaissance.

So far, favoured targets of PowerPepper appear to be firms specialising in law and consultancy, based in Europe, Aisa, and the US.

“The DeathStalker threat is definitely a cause for concern, with the victimology for its various malware strains showing that any corporation or individual in the world can be targeted by their malicious activities, provided someone has decided they are of interest and passed on the word to the threat actor,” said Delcher.

“Luckily for defenders, DeathStalker has, until now, relied on a rather limited set of techniques to design its delivery chains, and implementing counter-measures is an attainable goal for most organizations.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Education and government most at risk from email threats
phishing

Education and government most at risk from email threats

26 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Iranian hackers ramp up attacks against IT services sector
hacking

Iranian hackers ramp up attacks against IT services sector

19 Nov 2021

Most Popular

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022