Charming Kitten Sharpens Its Claws with PowerShell Backdoor

2022-02-02 13:58

The Iranian advanced persistent threat Charming Kitten is sharpening its claws with a new set of tools, including a novel PowerShell backdoor and related stealth tactics, that show the group evolving yet again.

Researchers at cybersecurity firm Cybereason discovered the tools, which include a backdoor they dubbed "PowerLess Backdoor," as well as an evasive maneuver to run the backdoor in a.NET context rather than as one that triggers a PowerShell process, the Cybereason Nocturnus Team wrote in a report published Tuesday.

Charming Kitten is a prolific APT believed to be backed by the Iranian government and known by a number of other names - including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorus.

The Cybereason Nocturnus team uncovered a raft of new Charming Kitten activity when they investigated threat-intelligence efforts that "Included pivoting on an IP address that was already attributed to Iranian threat actors by multiple sources, including US CERT," Frank explained.

Charming Kitten is now using what researchers have dubbed PowerLess Backdoor, a previously undocumented PowerShell trojan that supports downloading additional payloads, such as a keylogger and an info stealer.

Overall, the new tools show Charming Kitten developing more "Modular, multi-staged malware" with payload-delivery aimed at "Both stealth and efficacy," Frank noted.

News URL

https://threatpost.com/charming-kitten-powershell-backdoor/178158/

#backdoor #powershell