A revised version of a backdoor dubbed PowerLess is intended to be installed, and a new round of phishing attacks targeting Israel has been attributed to an Iranian nation-state threat actor. The hacker group known as APT35, Charming Kitten, Cobalt Illusion, ITG18, Mint Sandstorm (previously Phosphorus), TA453, and Yellow Garuda are among the groups that Check Point, a cybersecurity company, is keeping an eye on.
“Like many other actors, Educated Manticore has adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains,” the Israeli company said in a recently published technical report.
APT35, active since at least 2011, has targeted many individuals and organizations using phony social media profiles, spear phishing, and N-day vulnerabilities in internet-exposed programs to acquire initial access and deliver various payloads, including ransomware. The development shows that the adversary is constantly enhancing and retooling its malware arsenal to increase functionality, thwart analysis attempts, and adopt improved techniques to avoid detection.
The Check Point attack chain starts with an ISO disk image file that uses lures with an Iraqi theme to drop a customized in-memory downloader, which then runs the PowerLess implant. The ISO file serves as a conduit to display a fake document that is written in Arabic, English, and Hebrew and claims to contain academic content about Iraq from the Arab Science and Technology Foundation (ASTF), a legitimate non-profit organization, suggesting that the campaign may have been directed at the research community.
Cybereason previously highlighted the PowerLess backdoor in February 2022. It can collect screenshots, record audio, track keystrokes, and steal data from web browsers and applications like Telegram. “While the new PowerLess payload remains similar, its loading mechanisms have significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code,” Check Point said.
After receiving a key from the server, Base64-encoding and encryption are used to send PowerLess [command-and-control] communication to the server. The threat actor deliberately adds three random letters to the beginning of the encoded blob to deceive researchers. The cybersecurity company added that due to the usage of the identical Iraq-themed PDF file, it also found two other archive files employed as part of a distinct intrusion set that overlaps with the assault mentioned above sequence. Additional investigation has shown that the infection chains that originate from these two archive files ultimately result in the execution of a PowerShell script designed to download and launch two files from a remote server.
According to Check Point, Educated Manticore is still evolving, improving upon previously noted toolsets and delivery mechanisms. The actor also continues to develop custom toolsets using advanced techniques. It is crucial to note that because it is an upgraded form of previously reported malware, it may only reflect the early stages of infection and that large portions of post-infection activities have not yet been seen in the wild.