Iranian Hackers Use New A PowerShell Backdoor in Cyber Espionage Attacks
Reading Time: 2 minutes

Iranian hackers use a new PowerShell backdoor called PowerLess Backdoor in cyber espionage attacks, according to Cybereason researchers. 

Cybereason, a Boston-based cybersecurity company linked the malware with Charming Kitten, a hacking group also known as Phosphorous, APT35, or TA453

Daniel Frank, senior malware researcher at Cybereason, “The PowerShell code runs in the context of a .NET application, thus not launching ‘powershell.exe’ which enables it to evade security products. The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy.”

Charming Kitten has been active since 2017 and is behind a number of campaigns in recent years. The group has been targeting victims posing as journalists and scholars to deceive targets into installing malware and stealing classified information.Iranian Hackers Use New A PowerShell Backdoor in Cyber Espionage Attacks_1CheckPoint earlier this month revealed the details of an espionage operation involving the hacking group exploiting the Log4Shell vulnerabilities to deploy a modular backdoor dubbed CharmPower for follow-on attacks.

Iranian Hackers Use New A PowerShell Backdoor in Cyber Espionage Attacks_2The latest refinements to its arsenal, as spotted by Cybereason, constitutes an entirely new toolset that encompasses the PowerLess Backdoor, which is capable of downloading and executing additional modules such as a browser info-stealer and a keylogger.

There are a number of other malware artifacts linked to the same developer of the backdoor, counting an audio recorder which was a variant used earlier to steal information and the researchers suspect to be an unfinished ransomware variant coded in .NET.

The researchers also have found links between the Phosphorus group and a new ransomware strain called Memento, which first emerged in November 2021. The ransomware took the unusual step of locking files within password-protected archives, this followed with the encryption of the password and deletion of the original files after their attempts to encrypt the files directly were blocked by endpoint protection.

Frank said, “The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento. Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor.”

Related Articles:
Russian ‘Gamaredon’ Hackers Use 8 New malware payloads in attacks
Are you Embedding Google Fonts on your Websites? German Court Rules it Violets GDPR
New Microsoft Bug Allows Bad Actors to Take Complete Control of Your Emails