DeathStalker, a hacker-for-hire group, has developed a new Windows PowerShell malware dubbed PowerPepper, reports Kaspersky.
What has been discovered?
In May, the new PowerPepper implant was discovered while the group was using a PowerShell-based implant known as Powersing in their attacks. Since then, the malware has been updated several times.
- PowerPepper is an in-memory Windows PowerShell-based backdoor. It enables its operators to run shell commands remotely by using a command-and-control (C2) server.
- The group has been active since 2012 and targets small and medium-sized firms operating in the law and financial sectors.
How does it operate?
- The new backdoor malware has several anti-detection capabilities such as client’s MAC address filtering, mouse movement detection, antivirus products inventory, and Excel application handling.
- It uses spear-phishing emails with malicious attachments or links to documents including malicious VBA macros that run PowerPepper and gain persistence on compromised systems.
Its infection method however changed a little between July and November.
Hackers-for-hire is getting traction
More cybercriminal groups are actively offering their services to earn and grow fast.
- Recently, CostaRicto, a hacker-for-hire group was observed hitting victims across various continents in at least 13 different countries.
- Earlier, the Bahamut group had been using phishing, malicious apps, and zero-day attacks against its victims.
To thwart the nefarious efforts of cybercriminals, experts suggest organizations (of all sizes) to deploy endpoint security solutions with Endpoint detection and response (EDR) while avoiding clicking on links and emails without verifying the legitimacy.