|
What did DeathStalker hide between two ferns?
|
Posts: 14,228
Threads: 9,428
Thanks Received: 8,996 in 7,147 posts
Thanks Given: 9,747
Joined: 12 September 18
05 December 20, 08:08
Quote:
And other mercenary tricks
Contents
DeathStalker is a threat actor that’s been active since at least 2012, and we exposed most of their past activities in a previous article, as well as during a GREAT Ideas conference in August 2020. The actor drew our attention in 2018 because of distinctive attack characteristics that didn’t fit in with the usual cybercrime or state-sponsored activities, leading us to believe DeathStalker is a hack-for-hire group..
DeathStalker has leveraged several malware strains and delivery chains over the years, from the Python- and VisualBasic-based Janicab to the PowerShell-based Powersing and the JavaScript-based Evilnum. The actor consistently used what we call “dead-drop resolvers” (DDRs), which is obfuscated content hosted on major public web services like YouTube, Twitter or Reddit; once decoded by malware this content reveals a command-and-control (C2) server address.
DeathStalker also consistently leveraged anti-detection and antivirus evasion techniques, as well as intricate delivery chains that drop lots of files to the target’s filesystems. To kick-start an infection, DeathStalker usually relies on spear-phishing emails with attachments, or links to public file sharing services, as well as script execution based on Windows shortcuts. We have identified how DeathStalker’s malware compromises in clusters or targets various types of entities in all parts of the world, with a possible focus on law and consultancy offices, as well as FINTECH companies, but without a clearly identifiable or consistent interest.
The targeting does not seem to be politically or strategically defined and doesn’t appear to be the usual financially motived crime. Because of this, we conclude that DeathStalker is a cyber-mercenary organization.
While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware PowerPepper. We first spotted a variant of PowerPepper in the wild in mid-July 2020, dropped from a Word document that had been submitted on a public multiscanner service. Since then, the PowerPepper implant and the associated delivery chain has been continuously operating and developing.
Meet PowerPepper: the spicy implant that your bland scripts setup needed
PowerPepper implant
PowerPepper is a Windows in-memory PowerShell backdoor that can execute remotely sent shell commands. In strict accordance with DeathStalker’s traditions, the implant will try to evade detection or sandboxes execution with various tricks such as detecting mouse movements, filtering the client’s MAC addresses, and adapting its execution flow depending on detected antivirus products.
The implant’s C2 logic stands out, as it is based on communications via DNS over HTTPS (DoH), using CloudFlare responders. PowerPepper first tries to leverage Microsoft’s Excel as a Web client to send DoH requests to a C2 server, but will fall back to PowerShell’s standard web client, and ultimately to regular DNS communications, if messages cannot get through.
C2 communications content between the implant and servers is encrypted. We noticed that PowerPepper and the previously described Powersing use an almost identical PowerShell implementation of AES encryption, with only the AES padding mode and a function input format being changed.
PowerPepper DNS command and control
PowerPepper regularly polls a C2 server for commands to execute. In order to do so, the implant sends TXT-type DNS requests (with DoH or plain DNS requests if the former fails) to the name servers (NS) that are associated with a malicious C2 domain name. If the target which runs the implant is validated (we cover that later), the server replies with a DNS response, embedding an encrypted command. Both requests and responses contain patterns that can be easily detected with network intrusion detection systems, but the patterns have been changed across implant variants.
The command execution results are sent back to the server through a batch of variable-length A-type DNS requests, where queried hostnames contain an identifier, data length, and encrypted data.
Quote:# Command result feedback initialization DNS request hostname: .be.0.0.1.0.0.0.0.# Command result feedback data slices DNS requests hostnames: .ef.1.0.1.3.BDA2ADBE3C79C9EF6630.DDD4B8D4504FEC348C9C.2F53BFB60C1890585CF7. .ef.2.0.1.3.72DE8DDB802C4829B2DE.40CB7163E83DE0B4A002.6B6C2E555A931721A525. .ef.3.0.1.2.1699380DBABAB113D32B.7869501E5FEDD524304B.0. # Command result feedback termination DNS request hostname: .ca.4.0.1.00.0.0.0.
During the course of our investigations, we noticed that the PowerPepper C2 name servers were actually open DNS resolvers that always resolved arbitrary hostnames with the same IP addresses: 128.49.4.4 (a US Navy-owned server), 91.214.6.100 and 91.214.6.101 (HSBC UK-owned servers). Using this fact and historical reverse DNS resolutions data, we have been able to preemptively identify the PowerPepper C2 domains.
PowerPepper signaling and target validation
On top of the DNS C2 communication logic, PowerPepper also signals successful implant startup and execution flow errors to a Python backend, through HTTPS. Such signaling enables target validation and implant execution logging, while preventing researchers from interacting further with the PowerPepper malicious C2 name servers. It has also been used directly from some of the malicious documents that were involved in PowerPepper delivery, through the “Links to Files” feature in Office documents.
The signaling Python backends were hosted on a public and legitimate content hosting web service named PythonAnywhere that allows users to build websites. The discovered Python backend endpoints were shut down by PythonAnywhere in coordination with us. As a result, DeathStalker tried to adapt the signaling feature by removing it from most PowerPepper delivery documents (but keeping it in the implant itself), and by adding a legitimate but compromised WordPress website as a reverse-proxy between implants and backends.
...
Continue Reading
|
Users browsing this thread: 1 Guest(s)
|
|
Welcome
|
You have to register before you can post on our site.
|
|
Online Staff
|
| There are no staff members currently online. |
|
 
|
What did DeathStalker hide between two ferns?
![[Image: DeathStalker_hide_01.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/12/01155742/DeathStalker_hide_01.png)
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
