Monday, June 5, 2023

Iranian Hackers Using New PowerShell Backdoor In Cyber Espionage Attacks

 


An advanced persistent threat group with links to Iran has updated its malware toolset to include a novel PowerShell-based implant called PowerLess Backdoor, according to new research published by Cybereason.

The Boston-headquartered cybersecurity company attributed the malware to a hacking group known as Charming Kitten (aka Phosphorous, APT35, or TA453), while also calling out the backdoor's evasive PowerShell execution.

"The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, senior malware researcher at Cybereason, said. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy."

The threat actor, which is active since at least 2017, has been behind a series of campaigns in recent years, including those wherein the adversary posed as journalists and scholars to deceive targets into installing malware and stealing classified information.


Earlier this month, Check Point Research disclosed details of an espionage operation that involved the hacking group exploiting the Log4Shell vulnerabilities to deploy a modular backdoor dubbed CharmPower for follow-on attacks.

The latest refinements to its arsenal, as spotted by Cybereason, constitutes an entirely new toolset that encompasses the PowerLess Backdoor, which is capable of downloading and executing additional modules such as a browser info-stealer and a keylogger.

Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET.

Furthermore, infrastructure overlaps have been identified between the Phosphorus group and a new ransomware strain called Memento, which first emerged in November 2021 and took the unusual step of locking files within password-protected archives, followed by encrypting the password and deleting the original files, after their attempts to encrypt the files directly were blocked by endpoint protection.

"The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento," Frank said. "Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor."

Related word


  1. Tools Used For Hacking
  2. Hacking Tools For Kali Linux
  3. Hack Rom Tools
  4. Pentest Tools For Android
  5. Hacking Tools Github
  6. What Are Hacking Tools
  7. Hacking Tools For Beginners
  8. Pentest Automation Tools
  9. Kik Hack Tools
  10. Hack Tools For Games
  11. Pentest Tools Free
  12. Hacker Tools For Ios
  13. Hack Tools
  14. Hacker Security Tools
  15. Pentest Recon Tools
  16. Pentest Tools Port Scanner
  17. Hack Tools Online
  18. Nsa Hack Tools
  19. Hacker Tools Github
  20. Hacker Tools For Pc
  21. Hacking Tools And Software
  22. Hack Tools Github
  23. Hacker Search Tools
  24. How To Hack
  25. Hacking Tools Hardware
  26. Best Hacking Tools 2020
  27. Hacking Tools For Windows
  28. Hacker Tool Kit
  29. Pentest Automation Tools
  30. Hacker Tools
  31. Pentest Tools Review
  32. Hacking Tools Kit
  33. Pentest Tools Online
  34. Hacking Tools 2019
  35. Pentest Tools Bluekeep
  36. Hacking Tools Download
  37. Usb Pentest Tools
  38. Termux Hacking Tools 2019
  39. Hacker Tools Linux
  40. Hacker Tools For Mac
  41. Bluetooth Hacking Tools Kali
  42. Pentest Tools Download
  43. What Is Hacking Tools
  44. Hack Tools For Games
  45. Hackers Toolbox
  46. Pentest Tools Framework
  47. Hack Tools For Mac
  48. Hacking Tools For Pc
  49. Hack Tools Mac
  50. Hacker Search Tools
  51. Hacking Tools Online
  52. Hacking Tools For Beginners
  53. Pentest Tools Free

No comments:

Post a Comment