Iranian Hackers Using New PowerShell Backdoor In Cyber Espionage Attacks

 

An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason.

The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the backdoor's evasive PowerShell execution.

"The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason, said. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy."

The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversary posed as journalists and scholars to deceive targets into installing malware and stealing classified information.

Earlier this month, Check Point Research disclosed details of an espionage operation that involved the hacking group exploiting the Log4Shell vulnerabilities to deploy a modular backdoor dubbed CharmPower for follow-on attacks.

The latest refinements to its arsenal, as spotted by Cybereason, constitutes an entirely new toolset that encompasses the PowerLess Backdoor, which is capable of downloading and executing additional modules such as a browser info-stealer and a keylogger.

Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET.

Furthermore, infrastructure overlaps have been identified between the Phosphorus group and a new ransomware strain called Memento, which first emerged in November 2021 and took the unusual step of locking files within password-protected archives, followed by encrypting the password and deleting the original files, after their attempts to encrypt the files directly were blocked by endpoint protection.

"The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento," Frank said. "Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor."

Related articles

1. Hacking Tools For Windows Free Download
2. Hacker Tools 2020
3. Install Pentest Tools Ubuntu
4. World No 1 Hacker Software
5. Hacker Tools Windows
6. Hacking Tools Mac
7. Hacking Tools For Windows Free Download
8. Hacking Tools 2019
9. New Hack Tools
10. Pentest Tools Website
11. Tools 4 Hack
12. Nsa Hack Tools Download
13. Hack Website Online Tool
14. Pentest Tools Nmap
15. Hacker Tools For Windows
16. Pentest Tools Free
17. Hacker Tools For Ios
18. How To Install Pentest Tools In Ubuntu
19. Physical Pentest Tools
20. Nsa Hacker Tools
21. Pentest Tools Android
22. Hacks And Tools
23. Hacking Tools For Windows 7
24. Best Pentesting Tools 2018
25. Hacking Apps
26. Hacking Tools Hardware
27. Hacker Tools Hardware
28. Hacking Tools Online
29. Nsa Hack Tools Download
30. Hacking App
31. Hacker Tool Kit
32. Hacker Tools
33. Pentest Tools Online
34. Hak5 Tools
35. Pentest Tools Github
36. Computer Hacker
37. Hack Tools
38. Hacking App
39. Hacking Tools Usb
40. Android Hack Tools Github
41. Hack Tools For Pc
42. New Hack Tools
43. Pentest Tools For Windows
44. New Hacker Tools
45. Pentest Tools Android
46. Termux Hacking Tools 2019
47. Pentest Reporting Tools
48. Pentest Tools Github
49. Pentest Reporting Tools
50. Pentest Tools Windows
51. Ethical Hacker Tools
52. Best Pentesting Tools 2018
53. Pentest Tools Review
54. Hack And Tools
55. Underground Hacker Sites