All-new Windows 10 malware is excellent at evading detection

Malware Magnifying Glass
(Image credit: Andriano.cz / Shutterstock)

Security researchers at Kaspersky have discovered a new malware strain developed by the hacker-for-hire group DeathStalker that has been designed to avoid detection on Windows PCs.

While the threat actor has been active since at least 2012, DeathStalker first drew Kaspersky's attention back in 2018 because of its distinctive attack characteristics which didn't resemble those employed by cybercriminals or state-sponsored hackers. 

The group is known for using a wide range of malware strains and complex delivery chains in its attacks but the tactics used to evade detection are what really make it stand out.

Kaspersky discovered DeathStalker's new PowerPepper implant in May of this year while conducting research into other attacks that utilized the group's PowerShell-based Powersing implant. Since its discovery, new versions of PowerPepper have been developed and deployed by the group which also adapted the malware's delivery chains to reach new targets.

PowerPepper malware

The new PowerPepper malware is an in-memory Windows PowerShell-based backdoor that has the capability to allow its operators to execute shell commands remotely from a command-and-control (C2) server.

As is the case with DealthStalker's previous work, PowerPepper tries to evade detection or sandboxes execution on Windows 10 using various tricks such as detecting mouse movements, filtering a client's MAC addresses and adapting its execution flow depending on which antivirus products are installed on a target system. The malware is spread via spear phishing email attachments or by links to documents that contain malicious Visual Basic for Application (VBA) macros that execute PowerPepper and gain persistence on infected systems. 

PowerPepper also uses a number of delivery chain evasion tricks such as hiding payloads in Word embedded shapes properties, using Windows Compiled HTML (CHM) files as archives for malicious files, masquerading and obfuscating persistent files, hiding payloads within images using steganography, getting lost in Windows shell commands translation and executing via a signed binary proxy execution.

Kaspersky's Pierre Delcher provided further insight on how PowerPepper communicates with its C2 server in a new report, saying:

“The implant’s C2 logic stands out, as it is based on communications via DNS over HTTPS (DoH), using CloudFlare responders. PowerPepper first tries to leverage Microsoft’s Excel as a Web client to send DoH requests to a C2 server, but will fall back to PowerShell’s standard web client, and ultimately to regular DNS communications, if messages cannot get through.”

In order to avoid falling victim to PowerPepper, users should avoid opening attachments or clicking on links in emails from unknown senders as well as enabling macros in documents from unverified sources.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data leak
Hacked Tata Technologies data leaked by ransomware gang
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
Latest in News
UK Prime Minister Sir Kier Starmer
UK PM says AI should soon replace civil servants
Eight Samsung TVs mounted to the wall showing different basketball games
Samsung is offering you 8 new TVs in one bundle for March Madness, in case you want to watch all games at once like a Bond villain’s lair
The Steam Logo on a mobile phone in front of a wall of games.
Today’s Steam Spring Sale features my absolute favorite game of all time - here's when the sale starts and all the key info
Apple iPhone 16 Pro Max REVIEW
The latest iPhone 17 Pro Max leak may have given us another look at its upcoming redesign
Half-Life running on a smartwatch
This Redditor installed a game engine on their smartwatch, and now it runs Doom, Quake, and Half-Life
Samsung Galaxy Z Fold 6
The Samsung Galaxy Z Fold 7 could be in line for a Galaxy S25 Ultra-level camera upgrade