Cybersecurity researchers on Thursday disclosed details of a previously undiscovered in-memory Windows backdoor developed by a hacker-for-hire operation that can execute remotely malicious code and steal sensitive information from its targets in Asia, Europe, and the US.
Dubbed “PowerPepper” by Kaspersky researchers, the malware has been attributed to the DeathStalker group (formerly called Deceptikons), a threat actor that has been found to hit law firms and companies in the financial sector located in Europe and the Middle East at least since 2012.
The hacking tool is so-called because of its reliance on steganographic trickery to deliver the backdoor payload in the form of an image of ferns or peppers.
The espionage group first came to light earlier this July, with most of their attacks starting with a spear-phishing email containing a malicious modified LNK (shortcut) file that, when clicked, downloads and runs a PowerShell-based implant named Powersing.
While their objectives don’t appear to be financially motivated, their continued interest in collecting crucial business information led Kaspersky to the conclusion that “DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles.”
images from Hacker News