Tasken
Advanced
- Joined
- 22.09.20
- Messages
- 127
- Reaction score
- 960
- Points
- 63
Cybersecurity researchers from Kaspersky Lab told about a new backdoor loaded into Windows RAM, which was developed by hackers for Hire (HfH). The backdoor can remotely execute malicious code and steal confidential information.
The malware, called PowerPepper, is linked to the cybercrime group DeathStalker (formerly called Deceptikons). Members of this group have been attacking law firms and financial companies located in Europe and the middle East since 2012. Criminals start their malicious campaigns with targeted phishing, sending emails with modified LNK files.
The hacking tool gets its name from the fact that it relies on steganographic tricks to deliver a backdoor payload in the form of an image of a fern or pepper. A new type of malware is extracted from a fake Word document and uses the "DNS over TLS" Protocol (DNS over TLS, DoT) as a communication channel for transmitting encrypted malicious shell commands from the C&C server.
Emails use a variety of topics, such as controlling the release of carbon footprints into the atmosphere, booking trips, and the current coronavirus pandemic (COVID-19), and Word documents have social engineering banners encouraging users to enable macros, which leads to a backdoor download.
In addition to using macros and LNK files to deploy malware, DeathStalker also uses various methods to avoid detection. The main ones are the ability to hide the malicious execution workflow in the built-in forms and properties of Word objects, as well as use Windows Compiled HTML Help files as archives for malware.
"There is nothing particularly complex in the methods and techniques used, but the entire set of tools has proven to be effective, is quite well put together and demonstrates a determined effort to compromise various goals around the world," the experts said.
The malware, called PowerPepper, is linked to the cybercrime group DeathStalker (formerly called Deceptikons). Members of this group have been attacking law firms and financial companies located in Europe and the middle East since 2012. Criminals start their malicious campaigns with targeted phishing, sending emails with modified LNK files.
The hacking tool gets its name from the fact that it relies on steganographic tricks to deliver a backdoor payload in the form of an image of a fern or pepper. A new type of malware is extracted from a fake Word document and uses the "DNS over TLS" Protocol (DNS over TLS, DoT) as a communication channel for transmitting encrypted malicious shell commands from the C&C server.
Emails use a variety of topics, such as controlling the release of carbon footprints into the atmosphere, booking trips, and the current coronavirus pandemic (COVID-19), and Word documents have social engineering banners encouraging users to enable macros, which leads to a backdoor download.
In addition to using macros and LNK files to deploy malware, DeathStalker also uses various methods to avoid detection. The main ones are the ability to hide the malicious execution workflow in the built-in forms and properties of Word objects, as well as use Windows Compiled HTML Help files as archives for malware.
"There is nothing particularly complex in the methods and techniques used, but the entire set of tools has proven to be effective, is quite well put together and demonstrates a determined effort to compromise various goals around the world," the experts said.