Charming Kitten, a notorious nation-state actor linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has recently surfaced in a targeted spear-phishing campaign utilizing an updated version of their potent PowerShell backdoor called POWERSTAR.
Volexity researchers, Ankur Saini and Charlie Gardner, revealed in a recent report the implementation of enhanced operational security measures within the malware. These measures pose significant challenges for analysts attempting to analyze and gather intelligence on the threat.
Renowned for their expertise in social engineering, Charming Kitten employs various tactics to deceive their targets. Crafted personas on social media platforms, sustained conversations to establish rapport, and the subsequent delivery of malicious links are among their primary methods. The group is also recognized by multiple names, including APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda.
In addition to POWERSTAR, recent Charming Kitten intrusions have featured other implants like PowerLess and BellaCiao, indicating a wide array of espionage tools at their disposal to achieve strategic objectives.
Initially exposed by Check Point in January 2022, POWERSTAR (also known as CharmPower) was publicly documented in connection with attacks exploiting Log4Shell vulnerabilities in publicly exposed Java applications. Since then, the backdoor has been employed in at least two other campaigns, as detailed by PwC in July 2022 and Microsoft in April 2023.
Volexity, which previously detected a rudimentary variant of POWERSTAR in 2021 distributed through a malicious macro in a DOCM file, now reports that the May 2023 attack wave utilizes an LNK file within a password-protected RAR archive to download the backdoor from Backblaze. Furthermore, Charming Kitten has taken measures to impede analysis during this attack.
"With POWERSTAR, Charming Kitten aimed to reduce the risk of malware exposure, analysis, and detection by delivering the decryption method separately from the initial code without writing it to disk," stated the researchers.
This approach provides an operational safeguard, as decoupling the decryption method from the command-and-control (C2) server prevents future successful decryption of the corresponding POWERSTAR payload.
POWERSTAR boasts an extensive range of features, empowering it to execute PowerShell and C# commands remotely, establish persistence, gather system information, and download additional modules. These modules allow the backdoor to enumerate running processes, capture screenshots, search for files matching specific extensions, and monitor the integrity of persistence components.
Significant improvements and expansions have been made to the cleanup module, designed to eradicate any traces of the malware's presence and eliminate persistence-related registry keys. These enhancements underscore Charming Kitten's ongoing efforts to refine their techniques and evade detection. Volexity also discovered a distinct variant of POWERSTAR that employs a decentralized InterPlanetary Filesystem (IPFS) to retrieve a hard-coded C2 server, enhancing the group's attack infrastructure resilience.
Coinciding with this development, MuddyWater (aka Static Kitten) has employed an undocumented command-and-control (C2) framework known as PhonyC2 to distribute malicious payloads to compromised hosts.
"The phishing playbook utilized by Charming Kitten and the overall purpose of POWERSTAR remain consistent," stated the researchers. "References to persistence mechanisms and executable payloads within the POWERSTAR Cleanup module strongly indicate a broader set of tools utilized by Charming Kitten for conducting malware-enabled espionage."
Stay informed about the evolving techniques employed by Charming Kitten and gain valuable insights into countering state-sponsored cyber espionage by regularly visiting our cybersecurity blog. Our experts provide comprehensive coverage, analysis, and effective mitigation strategies to safeguard your organization against these sophisticated threats.
No comments:
Post a Comment