Charming Kitten, a nation-state activist affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), was allegedly involved in a bespoke spear-phishing campaign distributing an updated version of a full-featured PowerShell backdoor called POWERSTAR.
According to Volexity researchers Ankur Saini and Charlie Gardner, “Malware has increased operational security measures, making it more difficult to analyze and gather information.” Said In a report published this week.
Threat actors are experts when it comes to using social engineering to lure in their targets, often creating customized fake personas on social media platforms before sending malicious links. Have ongoing conversations to build trust. It has also been tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.
Recent incursions organized by Charming Kitten have utilized other implants such as PowerLess and BellaCiao, demonstrating that the group has an array of espionage tools at its disposal to achieve its strategic goals. suggesting.
POWERSTAR is another addition to the group’s arsenal. Also known as CharmPower, this backdoor was first publicly documented by Check Point in January 2022, revealing its use in connection with an attack weaponizing his Log4Shell vulnerability in a publicly available Java application. became.
It has since been used in at least two other campaigns, as documented by PwC in July 2022 and by Microsoft in April 2023.
Volexity, which detected a rudimentary variant of POWERSTAR distributed by malicious macros embedded in DOCM files in 2021, reported that in the May 2023 wave of attacks, LNK was deployed in password-protected RAR files. At the same time as using the file to download a backdoor from Backblaze, it said it took the following actions: hinder analysis.
“By using POWERSTAR, Charming Kitten tried to limit the risk of malware being exposed to analysis and detection by providing a decryption method separate from the initial code and never written to disk,” said the researcher. they said.
“This also has the added benefit of acting as an operational guardrail. By decoupling the decryption method from the command and control (C2) server, future successful decryption of the corresponding POWERSTAR payload can be prevented. .”
The backdoor includes additions to remotely execute PowerShell and C# commands, set persistence, collect system information, enumerate running processes, capture screenshots, and search for files matching specific extensions. It comes with an extensive feature set that allows you to download and run modules. Monitors whether persistence components are still intact.
Also improved and enhanced from the previous version is a cleanup module designed to erase all traces of malware footprints and remove persistence-related registry keys. These updates demonstrate Charming Kitten’s continued efforts to hone its techniques and evade detection.
Volexity said it also detected another variant of POWERSTAR that attempted to obtain a hardcoded C2 server by decoding files stored in a distributed InterPlanetary Filesystem (IPFS), recovering the attack infrastructure. Suggested an attempt to increase power.
This development involved MuddyWater (aka Static Kitten) using a previously undocumented command and control (C2) framework called PhonyC2 to deliver malicious payloads to compromised hosts. done at the same time.
The researchers said, “The common phishing tactics used by Charming Kitten and the overall objectives of POWERSTAR are consistent.” “The references to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module are highly suggestive of the extensive set of tools Charming Kitten uses to conduct malware-assisted espionage.”
