According to recent research published by Cybereason, an advanced persistent threat organization with ties to Iran has modified its malware toolkit to include a unique PowerShell-based implant named PowerLess Backdoor. The Boston-based cybersecurity firm attributed the malware to a hacker gang known as Charming Kitten (aka APT35, Phosphorous, or TA453) while criticizing the backdoor’s mysterious use of PowerShell.
“The PowerShell code runs in the context of a .NET application, thus not launching ‘powershell.exe’ which enables it to evade security products,” as said by Daniel Frank, a senior malware researcher at Cybereason. “The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy.”
The threat actor, active since at least 2017, has been behind many attacks in recent years, including ones in which the adversary pretended to be journalists or academics to trick targets into downloading malware and collecting confidential material. Check Point Research revealed details of an espionage operation earlier this month, in which a hacking squad used the Log4Shell vulnerabilities to build a modular backdoor known as CharmPower for follow-on attacks.
Cybereason found that the latest additions to its arsenal form an entirely new toolset that includes the PowerLess Backdoor, which can download and run other modules like a browser info-stealer and a keylogger. Many additional malicious artifacts, including an audio recorder, an older edition of the information stealer, and what the researchers assume is an unfinished ransomware variant programmed in .NET, are also likely tied to the same backdoor coder.
Moreover, there are infrastructural overlaps between the Phosphorus gang and a new ransomware outbreak known as Memento. It first appeared in November 2021 and took the unusual step of locking files into password-protected archives, then encrypting the password and erasing the original files after their attempts to encrypt the data directly were stopped by endpoint protection.