An Iranian-linked advanced persistent threat group has upgraded its malware toolset with a new PowerShell-based installation called PowerLess backdoor ,, according to Cybereason’s latest research.
The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the backdoor’s evasive PowerShell execution.
“The PowerShell code runs in the context of a .NET application, thus not launching ‘powershell.exe’ which enables it to evade security products,” Daniel Frank, senior malware researcher at Cybereason, said. The toolset we analyzed contains extremely modular and multi-staged malware. It decrypts and then deploys additional payloads at different stages to increase stealth and effectiveness. “
The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversary posed as journalists and scholars to deceive targets into installing malware and stealing classified information.
Earlier this month, Check Point Research disclosed details of an espionage operation that involved the hacking group exploiting the Log4Shell vulnerabilities to deploy a modular backdoor dubbed CharmPower for follow-on attacks.
The latest additions to the arsenal of its toolset, as seen by Cybereason constitute an entirely new toolkit that includes the PowerLess Backdoor. This module is capable downloading and execution additional modules like a browser information-stealer or a keylogger.
Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET.
Furthermore, infrastructure overlaps have been identified between the Phosphorus group and a new ransomware strain called Memento, which first emerged in November 2021 and took the unusual step of locking files within password-protected archives, followed by encrypting the password and deleting the original files, after their attempts to encrypt the files directly were blocked by endpoint protection.
“The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento,” Frank said. According to Frank, Iranian threat actors also turned to ransomware in that time frame. This strengthens the theory that Memento was operated by Iranian threat actors. “