Iranian Charming Kitten Adds PowerShell Back Door

The Cybereason Nocturnus Team discuss PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. They observed an uptick in the activity of the Iranian group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in 2020, and for targeting academic researchers in the US, France, and the Middle East.

KEY FINDINGS

• Novel PowerShell Backdoor: A novel and previously undocumented PowerShell backdoor related to the Phosphorus group … dubbed PowerLess Backdoor. It supports downloading additional payloads, such as a keylogger and an info stealer.
• Evasive PowerShell Execution: The PowerShell code runs in the context of a .NET application, thus not launching “powershell.exe” which enables it to evade security products.
• Modular Malware: … extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy.
• Wide Range of Open Source Tools: … activity observed involved a variety of publicly available tools, such as cryptography libraries, weaponizing them for payloads and communication encryption.
• Shared IOCs with Memento Ransomware: One of the IP addresses serves a domain which is being used as command and control (C2) for the recently discovered Memento Ransomware.
• Phosphorus Threat Group: The Phosphorus Threat Group was previously spotted attacking research facilities in multiple regions such as the US, Europe and the Middle East. The group is known to be behind multiple cyber espionage and offensive cyber attacks, operating in the interest of the Iranian regime, leveraging cyberwarfare in accordance with Iran’s geopolitical interests.
• Use of Publicly Available Exploits: The Phosphorus Group was first seen exploiting the ProxyShell vulnerability, and later on the Log4j vulnerability as well, utilizing fresh exploits in the wild.