Chris Swagler | February 3rd, 2022

APT35, an Iranian state-backed threat group, also known as Phosphorus or Charming Kitten, has developed a new backdoor called PowerLess deployed using PowerShell. According to a cybersecurity team, the threat operators deployed additional modules including info stealers and keyloggers using previously unknown malware. The PowerLess backdoor encrypts command-and-control communication channels allowing the commands to be executed and kill running processes on compromised systems. By running in the context of a .NET application, it avoids detection from security solutions by not launching a new PowerShell instance.

The analyzed toolset includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in stages for stealth and efficacy. According to the researchers, some ICOs remained active in delivering new payloads. Using a previously unknown PowerShell backdoor called CharmPower, APT35 operators leveraged Log4Shell exploits in their attacks.

The researchers discovered potential connections to Memento ransomware while looking into attacks involving the newly discovered PowerLess backdoor. Memento ransomware has been deployed in attacks against VMware vCenter severs using exploits designed to exploit a critical pre-auth remote code execution flaw patched months before. Due to anti-ransomware protection active on compromised devices, Memento operators have switched from encrypting systems with a Python-based ransomware strain to moving files into password-protected WinRAR archives. Common TTP patterns, automatically generated strings, and a domain (google.onedriver-srv[.]ml) are among the links. The domain is connected to an IP address mentioned in a joint advisory issued by United States and United Kingdom cybersecurity agencies about Iranian hacking groups targeting Microsoft Exchange and Fortinet servers.

Additionally, the Microsoft Threat Intelligence Center (MSTIC) is tracking six different Iranian threat groups deploying ransomware and exfiltrating data in attacks. Phosphorus’ activities involving ProxyShell occur around the same time as Memento. During the same time, Iranian threat actors were turning to ransomware, which strengthens the hypothesis that Memento is operated by an Iranian threat actor.

With increasing reports of state-backed threat groups employing ransomware, it’s crucial for companies and governments of all sizes to remain vigilant on the current threat landscape and always keep their network security updated to prevent future cyberattacks. At SpearTip, our Advisory Services quickly identify and defend against the most sophisticated threats including ransomware, business email compromise, insider threats, and state-sponsored threat groups. Additionally, we offer pragmatic remediation steps to immediately improve companies’ security posture. SpearTip provides first-hand knowledge and expertise in the vulnerabilities actively being leveraged by threat groups to exploit network environments. During our cybersecurity risk assessment process, we examine the entire security posture and assess the vulnerability gaps using a cyber maturity-based approach.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.