Iranian Hackers Using New PowerShell Backdoor In Cyber Espionage Attacks

 

An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason.

The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the backdoor's evasive PowerShell execution.

"The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason, said. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy."

The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversary posed as journalists and scholars to deceive targets into installing malware and stealing classified information.

Earlier this month, Check Point Research disclosed details of an espionage operation that involved the hacking group exploiting the Log4Shell vulnerabilities to deploy a modular backdoor dubbed CharmPower for follow-on attacks.

The latest refinements to its arsenal, as spotted by Cybereason, constitutes an entirely new toolset that encompasses the PowerLess Backdoor, which is capable of downloading and executing additional modules such as a browser info-stealer and a keylogger.

Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET.

Furthermore, infrastructure overlaps have been identified between the Phosphorus group and a new ransomware strain called Memento, which first emerged in November 2021 and took the unusual step of locking files within password-protected archives, followed by encrypting the password and deleting the original files, after their attempts to encrypt the files directly were blocked by endpoint protection.

"The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento," Frank said. "Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor."

Related word

1. Hacks And Tools
2. Hack Tools For Windows
3. Kik Hack Tools
4. Nsa Hacker Tools
5. How To Hack
6. New Hacker Tools
7. Hacking Tools For Pc
8. Hacking Tools Software
9. Tools For Hacker
10. Hack App
11. Pentest Recon Tools
12. Hacking Tools Mac
13. Blackhat Hacker Tools
14. Hacks And Tools
15. Game Hacking
16. Pentest Tools Framework
17. World No 1 Hacker Software
18. Best Hacking Tools 2020
19. Hacking Tools For Beginners
20. Pentest Tools Free
21. Hacker Tools Windows
22. Computer Hacker
23. Hackrf Tools
24. Pentest Tools Framework
25. Pentest Tools Website Vulnerability
26. Pentest Tools Android
27. Bluetooth Hacking Tools Kali
28. Hack Tools
29. Pentest Tools Android
30. Hacking Tools For Beginners
31. Pentest Reporting Tools
32. Best Hacking Tools 2019
33. Kik Hack Tools
34. Pentest Tools Windows
35. New Hack Tools
36. Hacking Tools Free Download
37. Hacking Tools For Mac
38. Hak5 Tools
39. Pentest Tools Tcp Port Scanner
40. Pentest Tools Url Fuzzer
41. Hacking Tools For Windows
42. Pentest Tools Website
43. Hacking Tools Windows 10
44. Github Hacking Tools
45. Easy Hack Tools
46. Computer Hacker
47. Hack Tools Github
48. Hack Tool Apk
49. Pentest Tools Windows
50. Hack Tools Online
51. Hack Tools For Windows
52. Hacker Tools Apk Download
53. New Hacker Tools
54. Hacker Tools For Windows
55. Pentest Automation Tools