Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Powerstar Backdoor. Show all posts

Iranian APT Group Charming Kitten Updates Powerstar Backdoor

According to researchers from cybersecurity firm Volexity, the most recent variant of malware is probably backed by a custom server-side component. This component assists the Powerstar backdoor operator by automating basic tasks. The latest version of the malware utilizes a distributed file protocol to disseminate personalized phishing links. 

Researchers have discovered that the malware incorporates various functionalities, such as leveraging the InterPlanetary File System (IPFS) and employing publicly accessible cloud hosts to remotely host its decryption function and configuration details. 

In April, Microsoft identified a group named Mint Sandstorm. This group utilized an implant called CharmPower, which was distributed through targeted spear-phishing campaigns. The campaigns specifically targeted individuals associated with the security community, as well as those affiliated with think tanks or universities in Israel, North America, and Europe. 

The threat actor known as Charming Kitten also referred to as Phosphorus, TA453, APT35, Cobalt Illusion, ITG18, and Yellow Garuda, has been involved in surveillance activities targeting journalists and activists since at least 2013. Recently, researchers have discovered that the attackers are adopting the guise of a reporter from an Israeli media organization. 

Their strategy involves sending targeted individuals an email containing a malicious attachment. The phishing email urges the recipient to review a document pertaining to U.S. foreign policy. To mitigate the chances of detection and analysis, the malware employs a tactic that separates the decryption method from the initial code and ensures it is never written to the disk. This approach minimizes the risk of exposure during analysis and detection processes. 

Volexity researchers found that the malware captures and uploads screenshots to the attacker's server, detects antivirus software, establishes persistence using a Registry Run key for the IPFS variant of Powerstar, collects system information, and employs a clean-up module to erase traces. 

The InterPlanetary File System (IPFS) is a decentralized network where files are stored and accessed through unique content identifiers. It functions similarly to a BitTorrent swarm and Git repository, facilitating decentralized file storage and retrieval.