PowerPepper Malware

The DeathStalker APT hacking organization continues to provide adversaries with hacking-for-hire services. By offering their services to the highest bidder, the DeathStalker hackers ensure that they will have enough resources to develop highly sophisticated malware such as the newly identified PowerPepper Malware. While PowerPepper might not shine with any extraordinary functionality, its authors have focused on implementing the best evasion techniques available. This helps the malware stay away from automated malware analysis systems, virtual machines, and anti-virus products' detection engines.

Another evasive technique that the PowerPepper Malware boasts is its ability to use the DNS protocol to communicate with the command-and-control server. While this limits the amount and type of information that the PowerPepper Malware can transfer, it also allows it to avoid many firewall services since they tend to be less strict about DNS traffic.

The PowerPepper Malware also makes use of steganography to hide the true purpose of its code before it is executed. Steganography is a technique used to hide corrupted code inside images – in this case, the criminals are using images of peppers, hence the name of the malware. A sophisticated loader script extracts the corrupted code from the images and then fuses the pieces to create and run the final payload.

The PowerPepper Malware has been active on networks in Asia, North and South America, and Europe. The criminals are reaching their victims via spear-phishing emails, and they do not seem to target a particular sector. The PowerPepper Malware enables the criminals to execute remote commands, which appear to be used to collect sensitive data from the compromised systems.

While the DeathStalker APT actors have taken a lot of measures to keep their project protected from malware analysis, you can rest assured that modern anti-virus products are already capable of identifying and eradicating this threat.