top of page

Iranian Charming Kitten Adds Powershell Back Door

The Cybereason Nocturnus Team discuss PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. They observed an uptick in the activity of the Iranian group dubbed Phosphorus (AKA Charming Kitten, APT35), known for previously attacking medical research organizations in the US and Israel in 2020, and for targeting academic researchers in the US, France, and the Middle East.

KEY FINDINGS

  • Novel PowerShell Backdoor: A novel and previously undocumented PowerShell backdoor related to the Phosphorus group … dubbed PowerLess Backdoor. It supports downloading additional payloads, such as a keylogger and an info stealer.

  • Evasive PowerShell Execution: The PowerShell code runs in the context of a .NET application, thus not launching “powershell.exe” which enables it to evade security products.

  • Modular Malware: … extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy.

  • Wide Range of Open Source Tools: … activity observed involved a variety of publicly available tools, such as cryptography libraries, weaponizing them for payloads and communication encryption.

  • Shared IOCs with Memento Ransomware: One of the IP addresses serves a domain which is being used as command and control (C2) for the recently discovered Memento Ransomware.

  • Phosphorus Threat Group: The Phosphorus Threat Group was previously spotted attacking research facilities in multiple regions such as the US, Europe and the Middle East. The group is known to be behind multiple cyber espionage and offensive cyber attacks, operating in the interest of the Iranian regime, leveraging cyberwarfare in accordance with Iran’s geopolitical interests.

  • Use of Publicly Available Exploits: The Phosphorus Group was first seen exploiting the ProxyShell vulnerability, and later on the Log4j vulnerability as well, utilizing fresh exploits in the wild.

Garret Grajek, CEO, YouAttest provided additional color on the report:

“The fact that this Irananian-based hack has previously attacked US and allies medical facilities is more proof that the first salvo in nation-to-nation conflict is via cyber attacks. From the Ukraine to the counter cyber attacks on Belarus-based Russian supplies, nations are starting on the cyber front. All in the west should assume they are being scanned by nation sponsored actors - especially those in the critical infrastructure and service space. Vulnerabilities will be rapidly discovered and exploited. Patching is key. Adopting a zero trust (NIST 800-207) architecture w/ strong identity governance is paramount to limiting the effect of these attacks.”


###

bottom of page