Iranian APT group uses new PowerShell backdoor in cyber attacks

New cyber espionage attacks show that hackers use advanced methods and updated malware

Iranian hackers released new backdoor trojanAttackers rely on new tools in these recent cyber attacks

Iranian Phosphorus APT group adds the new PowerLess trojan to their arsenal. The backdoor was reported by researchers in the lengthy analysis. Threat group improving the toolset with a new PowerShell-based implant that runs the processes and can evade security program detections.[1] Cybereason experts report that malware can be very persistent and efficient.[2]

The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy

The threat actor group is known as Charming Kitten, APT35 and is linked with various attacks on medical research organizations,[3] journalists, activists. These targets are from Iran, the US, France, Middle East regions, and attacks have been very active since 2019. The group is closely monitored, and researchers can determine that these threat actors are working since 2017 at least.

This group is known for its series of cyber-espionage campaigns targeting targets with malware that is created for stealing classified information from valuable networks. Researchers continuously report the group's involvement in various attacks exploiting vulnerabilities and using modular backdoor trojans, other malware.

Iranian hacking groups actively running new campaigns

The PowerLess backdoor is capable of downloading and running various modules, info-stealers, keyloggers. These APT hacker groups rely on various tools in these campaigns that have the main goal of obtaining valuable information. The particular activities linked to the Phosphorus group overlaps with another malware strain Memento that was noticed in November of 2021.

These Iranian hackers are known for various campaigns and activities of several other threat actors can be linked with state-sponsored criminals. MuddyWater hacking group was recently found targeting Turkey in the recent campaigns.[4]

This group is pargetting Turkish organizations and particular institutions related to the government with the two infection chains. These attacks aim at agencies and start with spear-phishing attacks. Later files that pretend to come from Hatlh or the Interior Ministry of the country release the malicious codes on the machine. Such targets and even tactics are mainly the go-to for the state-backed hackers, especially when there are particular conflicts in political fields.

Another new cyber espionage campaign from Russian hackers

Cybersecurity research continuously reports incidents related to cyberespionage attacks and especially from the threat actor groups that are state-backed. Recent reports surfaced on Russia-linked hacking operations targeting Ukrainian entities.[5]

The group is known as Armageddon, Shuckworm, Gamaredon is the cyber espionage collective that is believed to have actively operated since 2013 at least. These attacks mainly start with phishing emails that lead to installed remote access trojans such as Pterodo. Researchers revealed that attackers installed various versions of the remote trojan and deployed other scrips, codes, malware between July 14th and August 18th of 2021.

The attack chain began with a malicious document, likely sent via a phishing email, which was opened by the user of the infected machine

These investigations reveal that threat actors managed to leverage the implant to download and run executable files, establishing connections with remote servers controlled by hackers. These droppers mainly act as the first stage of infection and lead to the installation of information-stealing malware that can access and obtain documents related to job descriptions, sensitive company, or government details.

There are various goals of the hacker groups, but gathering valuable data or corrupting these networks completely are the main two. Cybercriminals are either motivated by power or by financial gains.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions