Skip to main content

PowerPepper Backdoor

PowerPepper is an advanced backdoor implant used but the DeathStalker APT group for use as a first-stage implant in attacks against banking, financial technology, and government organisations globally.

Threat ID:
CC-3701
Category:
Backdoor
Threat Severity:
Medium
Threat Vector:
Spear phishing
Published:
10 December 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

PowerPepper is an advanced backdoor implant used but the DeathStalker APT group for use as a first-stage implant in attacks against banking, financial technology, and government organisations globally.

Affected platforms

The following platforms are known to be affected:

Versions: all supported

Microsoft Windows

Threat details

Introduction

First observed in early May 2020, PowerPepper is a fileless PowerShell backdoor created by the DeathStalker advanced persistent threat group for use in their own campaigns.

Delivery

PowerPepper is delivered in two distinct methods, both of which are believed tor begin with a spear-phishing email. The first method uses a malicious Microsoft Word document sent either as an attachment or downloaded via LNK file in the email. When opened, several VBA macros within the document are executed and in turn decrypt an embedded PNG file containing a steganographically hidden PowerPepper payload. A second macro then executes this directly in-memory.

Newer PowerPepper infections discard the VAB macros, instead using PowerShell scripts directly embedded in the LNK file. These scripts then pull a number of JPG and PNG files, again containing steganographically hidden PowerPepper payloads, from the Word document.

Activities

Once delivered, PowerPepper will gather system and user information before sending it to a command and control (C2) server using DNS over HTTPS (DoH) using Cloudflare's 1.1.1.1 resolver. Interestingly, PowerPepper will attempt to use Microsoft Excel as a web client, before falling back to the PowerShell client if it can't.

Once successfully connected to a C2 server, PowerPepper drops a keylogger as well as a MAC address filtering module. It can also execute secondary PowerShell scripts in order to download and install new payloads.

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains

  • allmedicalpro[.]com
  • footersig.pythonanywhere[.]com
  • globalsignature.pythonanywhere[.]com
  • gofinancesolutions[.]com
  • mailservice.pythonanywhere[.]com
  • mailservices.pythonanywhere[.]com
  • mailsignature.pythonanywhere[.]com
  • mailsigning.pythonanywhere[.]com
  • mediqhealthcare[.]com

URLs

  • https://1drv[.]ws /w/s!AvXRHBXCKmvYeFdjVtZN0Quljs4?e=dnA6GG
  • https://1drv[.]ws/w/s!AvXRHBXCKmvYd1921tVEMKWaCUs?e=MyoVNF
  • https://1drv[.]ws/w/s!AvXRHBXCKmvYdcbz1YwTJRkOxP4?e=u5wtbX
  • https://1drv[.]ws/w/s!AvXRHBXCKmvYdifkocKujNavvjY?e=hhuBV8
  • https://1drv[.]ws/w/s!AvXRHBXCKmvYe1ulhtazjNVvCqY?e=WptVTC
  • https://1drv[.]ws/w/s!AvXRHBXCKmvYeePNerfsAWK0qVY?e=e4SsYM
  • https://1drv[.]ws/w/s!AvXRHBXCKmvYejBpdekg1WUCM9M?e=UkhU10
  • https://outlookusers.page[.]link/
  • https://www.gsn-nettoyage[.]com/wp-snapshots/1.docx
  • https://www.gsn-nettoyage[.]com/wp-snapshots/btoken.php
  • https://www.gsn-nettoyage[.]com/wp-snapshots/etoken.php
  • https://www.gsn-nettoyage[.]com/wp-snapshots/Quote 16 db room.docx

Email addresses

  • a.christy_inbox@outlook[.]com
Host indicators

Filepaths

  • %APPDATA %\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\StartPrinter.url
  • %PROGRAMDATA%\MyPrinter\NewFile.vbs
  • %PROGRAMDATA%\MyPrinter\Web.lnk
  • %PROGRAMDATA%\Printers\NewFile.vbs
  • %PROGRAMDATA%\Printers\Web.lnk
  • %PROGRAMDATA%\Support\licenseverification.vbs
  • %PROGRAMDATA%\Support\licenseverify.vbs

MD5 hashes

  • 07308fbc3d10fd476f1898ecf6762437
  • 1dc2b849a858bc479b1ef428491e0353
  • 1f77fbe4702f787a713d394b62d27b42
  • 34f086ae78c5319fb64bf1cae8204d1b
  • 3a6099214f474c1501c110ce66033f3c
  • 5019e29619469c74f2b826535c5a8bd8
  • 5d04d246f3e5da6a9347ec72494d5610
  • 6e99f6da77b0620e89f6e88d91198c32
  • 6ff8a3d18a6ea930e87ac364379ecec2
  • 74d7df2505471eadeb1ccfc48a238aec
  • 81147edffaf63ae4068008c8235b34af
  • 871d64d8330d956593545dfff069194e
  • 871d64d8330d956593545dfff069194e
  • 9ce299bbdd7fdbf9f30f8935c89d2877
  • 9d4066c57c6e1602ce33f15dc7f3841b
  • a4dd981606ea0497bf9995f3bc672951
  • b4790e70b1297215e0875cfc2a56648e
  • ba7ae1c73a78d8dc4b3779bd6a151791
  • dfc2486de9e0339a1b38bb4b9144ea83

Last edited: 10 December 2020 4:24 pm