Security News > 2022 > February > Cyberspies linked to Memento ransomware use new PowerShell malware

Cyberspies linked to Memento ransomware use new PowerShell malware
2022-02-01 19:00

An Iranian state-backed hacking group tracked as APT35 is now deploying a new backdoor called PowerLess and developed using PowerShell.

"The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy. At the time of writing this report, some of the IOCs remained active delivering new payloads," the Cybereason researchers said.

While looking into attacks where the newly discovered PowerLess backdoor was used, the researchers also found potential connections to Memento ransomware.

Sophos has seen Memento operators switching from encrypting systems with a Python-based ransomware strain to moving files into password-protected WinRAR archives due to anti-ransomware protection active on compromised devices.

The Microsoft Threat Intelligence Center said it has been tracking six different Iranian threat groups who have been deploying ransomware and exfiltrating data in attacks that started as far back as September 2020.

"Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor."


News URL

https://www.bleepingcomputer.com/news/security/cyberspies-linked-to-memento-ransomware-use-new-powershell-malware/