Iranian Hackers Launch Cyber Espionage Attacks Using a New PowerShell Backdoor
Short News:-
Cybereason research indicates that an advanced persistent threat group linked to Iran has added a PowerLess Backdoor to its malware toolkit. The Boston-based cybersecurity firm attributed the malware to the Charming Kitten hacker collective (also known as Phosphorous, APT35, or TA453).
Detailed News:-
New research published by Cybereason indicates that an advanced persistent threat group linked to Iran has added a PowerShell-based implant called PowerLess Backdoor to its malware toolkit..
The Boston-based cybersecurity firm attributed the malware to the Charming Kitten hacker collective (also known as Phosphorous, APT35, or TA453) and cited the backdoor's evasive PowerShell execution as a contributing factor.
Since 'powershell.exe' is not launched when the PowerShell code runs, security products cannot detect it, according to Cybereason senior malware researcher Daniel Frank. Malware that decrypts and deploys additional payloads in stages in order to be both stealthy and effective is part of the toolset analyzed.
Among the recent campaigns perpetrated by the threat actor, which has been active since at least 2017, were those in which the adversary posed as journalists and scholars in order to deceive targets into installing malware and stealing classified information.
According to Check Point Research, a hacking group exploited Log4Shell vulnerabilities to deploy a modular backdoor dubbed CharmPower for follow-on attacks earlier this month.
According to Cybereason, the PowerLess Backdoor is capable of downloading additional modules, such as a browser information-stealer and an eavesdropper, which can be used to monitor the user's activity on the web.
Several other malware artifacts, including an audio recorder, an earlier version of the information stealer, and what the researchers suspect is an unfinished ransomware variant coded in.NET, may be linked to the same developer as the backdoor.
In addition, infrastructure overlaps have been found between the Phosphorus group and a new ransomware strain called Memento, which first emerged in November 2021 and took the unusual step of locking files within password-protected archives, followed by encrypting the password and deleting the original files after their attempts to encrypt the files directly were blocked by endpoint protection.
According to Frank, the activity of Phosphorus in relation to ProxyShell occurred around the time of Memento. Ransomware was used by Iranian threat actors at the time, which supports the theory that Memento is run by an Iranian threat actor.
Post a Comment
Your suggestions and comments are welcome