All-new Windows 10 malware is excellent at evading detection

Malware Magnifying Glass
(Image credit: Andriano.cz / Shutterstock)

Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.

While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky's attention back in 2018 because of its distinctive attack characteristics which didn't resemble those employed by cybercriminals or state-sponsored hackers. 

The group is known for using a wide range of malware strains and complex delivery chains in its attacks but the tactics used to evade detection are what really make it stand out.

Kaspersky discovered DeathStalker's new PowerPepper implant in May of this year while conducting research into other attacks that utilized the group's PowerShell-based Powersing implant. Since its discovery, new versions of PowerPepper have been developed and deployed by the group which also adapted the malware's delivery chains to reach new targets.

PowerPepper malware

The new PowerPepper malware is an in-memory Windows PowerShell-based backdoor that has the capability to allow its operators to execute shell commands remotely from a command-and-control (C2) server.

As is the case with DealthStalker's previous work, PowerPepper tries to evade detection or sandboxes execution on Windows 10 using various tricks such as detecting mouse movements, filtering a client's MAC addresses and adapting its execution flow depending on which antivirus products are installed on a target system. The malware is spread via spear phishing email attachments or by links to documents that contain malicious Visual Basic for Application (VBA) macros that execute PowerPepper and gain persistence on infected systems. 

PowerPepper also uses a number of delivery chain evasion tricks such as hiding payloads in Word embedded shapes properties, using Windows Compiled HTML (CHM) files as archives for malicious files, masquerading and obfuscating persistent files, hiding payloads within images using steganography, getting lost in Windows shell commands translation and executing via a signed binary proxy execution.

Kaspersky's Pierre Delcher provided further insight on how PowerPepper communicates with its C2 server in a new report, saying:

“The implant’s C2 logic stands out, as it is based on communications via DNS over HTTPS (DoH), using CloudFlare responders. PowerPepper first tries to leverage Microsoft’s Excel as a Web client to send DoH requests to a C2 server, but will fall back to PowerShell’s standard web client, and ultimately to regular DNS communications, if messages cannot get through.”

In order to avoid falling victim to PowerPepper, users should avoid opening attachments or clicking on links in emails from unknown senders as well as enabling macros in documents from unverified sources.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Google Pixel 8a in aloe green showing
Google Pixel 9a benchmark link teases the performance of the upcoming mid-ranger
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 17 (game #1148)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 17 (game #379)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 17 (game #645)
Apple iPhone 16 Pro HANDS ON
Leaked iPhone 17 dummy units may have given us our best look yet at all four models
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over