Researchers at Kaspersky Lab discovered a PowerShell malware for Windows that was not previously mentioned in expert reports. The malware was named PowerPepper and developed by a group of hackers for hire, DeathStalker.
In the past, DeathStalker was also called the Deceptikons, the activity of this group started around 2012. Typically, these attackers use a range of different types of malware and complex distribution chains. DeathStalker does its best to keep malware activity undetected and bypass all available protective measures.
Among the targets of the cyber group there are organizations from different parts of the world, and sometimes one can only guess about the background of its attacks.
For the first time, Kaspersky Lab came across a new sample of the PowerPepper malware in May 2020, and since then the authors have been constantly supplementing and improving their brainchild. In essence, this is a rather complex backdoor that allows operators to execute shell commands remotely using the command server (C2) of DeathStalker.
New versions of the malware may well track mouse movements, filter victims’ MAC addresses, and use other means to counter analysis by cybersecurity experts.
Kaspersky Lab also noted that the PowerPepper delivery chain changed slightly between July and November 2020. However, only the names of the malicious files, links, and partly the code changed, while the distribution logic itself remained unchanged.