← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
“Hack-for-hire” DeathStalker Actor Uses New PowerPepper Implant
WHITE DeathStalker AlienVault 2020-12-03 Modified: 2020-12-03
30
IOCs
MEDIUM VOLUME
"While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”. We first spotted a variant of PowerPepper in the wild in mid-July 2020, as dropped from a Word Document that had been submitted on a public multiscanner service. PowerPepper implant and associated delivery chain has been continuously developed and operated since."
powerpepperVBSMicrosoft OfficeCHMImplantDoH
Indicators of Compromise (30)
All email hostname FileHash-SHA256 FileHash-MD5 FileHash-SHA1 domain
TYPEINDICATORDESCRIPTIONCREATED
email a.christy_inbox@outlook.com 2020-12-03
hostname mailsigning.pythonanywhere.com 2020-12-03
hostname mailsignature.pythonanywhere.com 2020-12-03
hostname mailservices.pythonanywhere.com 2020-12-03
hostname mailservice.pythonanywhere.com 2020-12-03
hostname globalsignature.pythonanywhere.com 2020-12-03
hostname footersig.pythonanywhere.com 2020-12-03
FileHash-SHA256 46afa83e0b43fdb9062dd3e5fb7805997c432dd96f09ddf81f2162781daaf834 SHA256 of 871d64d8330d956593545dfff069194e 2020-12-03
FileHash-MD5 74d7df2505471eadeb1ccfc48a238aec 2020-12-03
FileHash-MD5 6e99f6da77b0620e89f6e88d91198c32 2020-12-03
FileHash-MD5 a4dd981606ea0497bf9995f3bc672951 2020-12-03
FileHash-MD5 5d04d246f3e5da6a9347ec72494d5610 2020-12-03
FileHash-MD5 81147edffaf63ae4068008c8235b34af 2020-12-03
FileHash-MD5 1f77fbe4702f787a713d394b62d27b42 2020-12-03
FileHash-MD5 07308fbc3d10fd476f1898ecf6762437 2020-12-03
FileHash-MD5 871d64d8330d956593545dfff069194e 2020-12-03
FileHash-MD5 5019e29619469c74f2b826535c5a8bd8 2020-12-03
FileHash-MD5 dfc2486de9e0339a1b38bb4b9144ea83 2020-12-03
FileHash-MD5 9ce299bbdd7fdbf9f30f8935c89d2877 2020-12-03
FileHash-MD5 34f086ae78c5319fb64bf1cae8204d1b 2020-12-03
FileHash-MD5 3a6099214f474c1501c110ce66033f3c 2020-12-03
FileHash-MD5 ba7ae1c73a78d8dc4b3779bd6a151791 2020-12-03
FileHash-MD5 9d4066c57c6e1602ce33f15dc7f3841b 2020-12-03
FileHash-MD5 6ff8a3d18a6ea930e87ac364379ecec2 2020-12-03
FileHash-MD5 b4790e70b1297215e0875cfc2a56648e 2020-12-03
FileHash-MD5 1dc2b849a858bc479b1ef428491e0353 2020-12-03
FileHash-SHA1 158ffa8f372674159c1a4338807032e8de1d2ff8 SHA1 of 871d64d8330d956593545dfff069194e 2020-12-03
domain allmedicalpro.com 2020-12-03
domain gofinancesolutions.com 2020-12-03
domain mediqhealthcare.com 2020-12-03
References (1)
↗ https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/