Daniel Frank, senior malware researcher at Cybereason reported that ,” The PowerShell code runs in the context of a.NET application, so it does not launch ‘powershell.exe,’ allowing it to evade security products,. The analysed toolset includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in stages for stealth and efficacy.”
According to new research published by Cybereason, an advanced persistent threat group with ties to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor.
The Boston-based cybersecurity firm attributed the malware to the Charming Kitten hacking group (also known as Phosphorous, APT35, or TA453), while also highlighting the backdoor’s evasive PowerShell execution.
The threat actor, which has been active since at least 2017 has been behind a number of campaigns in recent years, such as those in which the adversary pretended to be journalists and scholars in order to trick targets into installing malware and stealing classified information.
A number of other malware items such as an audio recorder, an earlier variant of the information stealer and what the researchers suspect is an unfinished ransomware variant coded in.NET, are also potentially linked to the same developer of the backdoor.
Furthermore, infrastructure overlaps have been discovered between the Phosphorus group and Memento, a new ransomware strain that first appeared in November 2021 and took the unusual step of locking files within password-protected archives, followed by encrypting the password and deleting the original files, after their attempts to encrypt the files directly were blocked by endpoint protection.
Finally the researchers concluded that ,” Phosphorus’ activity with regard to ProxyShell occurred around the same time as Memento. During that time period, Iranian threat actors were also reported to be turning to ransomware, which strengthens the hypothesis that Memento is operated by an Iranian threat actor.”