Hackers constantly refine their attacks to achieve their goals. We already know that there are many varieties of malware that can steal our data, passwords, compromise privacy or put the proper functioning of systems at risk. Now, it should be noted that we can use numerous security tools to protect ourselves. The problem is that these attackers are also able to bypass protection measures on many occasions. In this article we echo PowerPepper , a new malware that evades antivirus protection to attack Windows.
PowerPepper, the malware that bypasses the antivirus
Windows is the most widely used operating system on desktop computers. This causes cybercriminals to set their sights here to create malicious software capable of infecting these types of devices. Sometimes you can even skip the security barriers, which are increasingly available to us.
This is what happens with PowerPepper, a new malware created by the DeathStalker group that is capable of bypassing Windows antivirus in order to attack the system. According to the group of security researchers we echo, the attackers have created a new malvertising campaign to deliver this malware.
What they do is host their content in a hidden way on services as popular as YouTube or Twitter in order to reach the victims. However, the most peculiar thing about this matter is that it manages to evade security measures. This allows them to pass without being detected as a threat.
Security researchers indicate that PowerPepper leveraged DNS over HTTPS as a C2 channel. You have used Spear Phishing attacks. In this way they manage to reach the victim and use a Word document that contains the payload.
PowerShell backdoor
This malware is a PowerShell backdoor in Windows memory and can be run remotely. It uses different techniques, among which we can name detecting mouse movement, filtering MAC addresses and evading antivirus.
The command and control server used for this campaign relies on communications through DNS over HTTPS. To establish a DoH request to a C2 server, PowerPepper initially tries to leverage the Microsoft Excel program as a web client and then returns to the standard PowerShell web client.
To protect ourselves from this problem it is very important to keep systems and devices properly updated . Security researchers recommend that website owners frequently update their CMS and all installed plug-ins to avoid PowerShell.
In addition, common sense is essential. It is very important that we do not make mistakes that could lead to the entry of this type of malicious software. We have seen that they use Microsoft Word files to strain the payload and infect computers. These types of threats can arrive through malicious emails, with attachments that we unconsciously download and that can be a significant problem. Therefore, we must always avoid these types of errors.
In an article we talked about why antivirus is not enough to protect us on the network. We must always take into account all the necessary security measures to avoid problems.