Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Iranian APT Group Charming Kitten Updates Powerstar Backdoor

Attackers Updating Malware to Conduct Espionage by Distributing Phishing Links
Iranian APT Group Charming Kitten Updates Powerstar Backdoor

An Iranian government-backed hacking group known as Charming Kitten has updated its malware arsenal to include an updated version of the Powerstar backdoor, also known as CharmPower.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Researchers at cybersecurity firm Volexity described how the latest malware variant is complex and is likely supported by a custom server-side component that automates simpler actions for the Powerstar backdoor operator.

The latest iteration of the malware is taking advantage of a distributed file protocol to deploy customized phishing links.

The malware comes with features such as the use of the InterPlanetary File System, and it remotely hosts its decryption function and configuration details on publicly accessible cloud hosts.

In April, Microsoft tracked a group newly designated as Mint Sandstorm using an implant dubbed CharmPower that was being delivered through spear-phishing campaigns targeting individuals with ties to the security community and affiliated with think tanks or universities in Israel, North America and Europe.

Charming Kitten is also known as Phosphorus, TA453, APT35, Cobalt Illusion, ITG18 and Yellow Garuda. The group has spied on journalists and activists since at least 2013.

Researchers said attackers are impersonating a reporter of an Israeli media organization in order to send the target an email with a malicious attachment. The phishing email urges the target to review a document related to U.S. foreign policy.

Once the potential victim agrees, to further gain the target's confidence, Charming Kitten sends another benign email containing a list of questions, to which the target then responds with answers.

After a few days, upon gaining the target's trust, the operators of Charming Kitten send a draft.

"This draft is a password-protected RAR file containing a malicious LNK file. The password for the RAR file was provided in a subsequent email."

The malware limits the risk of being exposed by analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk.

"This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control server prevents future successful decryption of the corresponding POWERSTAR payload," the researchers said.

The researchers found the malware is used to take screenshots and upload them to the attacker-controlled C2 server, identify running antivirus software, establish persistence for the IPFS variant of Powerstar via a Registry Run key, collect system information and ultimately delete its proof of existence using the cleanup module.

IPFS works as a peer-to-peer network of nodes that each store shards of files that are reachable through a unique fingerprint its designers dub a "content identifier." The idea is to store and retrieve files via their content identifier rather than their location on a remote server.

Protocol inventor Juan Benet described it in a white paper as being analogous to "a single BitTorrent swarm, exchanging objects within one Git repository."

"The use of cloud-hosting providers to host both malware code and phishing content is a continued theme from Charming Kitten," the researchers said. "The references to persistence mechanisms and executable payloads within the Powerstar Cleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled espionage."


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.