Charming Kitten ‘Sharpens Claws’ with Backdoor to PowerShell!

Share This Post

The infamous Iranian APT is stocking up with new malicious tools & evasion tactics & may be behind the’ Memento’ ransomware.

The Iranian Advanced Persistent Threat (APT) ‘Charming Kitten’ is ‘sharpening its claws’ with a new set of tools, including a new PowerShell backdoor & related stealth tactics, that show the group evolving yet again. The new tools may mean that it’s ;getting ready to pounce’ on fresh victims, researchers think.

Backdoor

Researchers at cyber-security firm Cybereason discovered the tools, which include a ‘backdoor’ they dubbed “PowerLess Backdoor,” as well as an evasive manoeuvre to run the backdoor in a .NET context rather than as one that triggers a PowerShell process, the Cybereason Nocturnus Team wrote in a report published this Tues.

“The Cybereason Nocturnus Team was able to identify a new toolset that includes a novel backdoor, malware loaders, a browser info stealer, & a keylogger,” Cybereason Senior Malware Researcher Daniel Frank wrote in the report.

The team also identified links between Charming Kitten & the Memento ransomware that emerged late 2021 & until now has been unattributed, signalling that the APT may be moving beyond its usual cyber-espionage methods & into new cyber-criminal territory, researchers observed.

Iranian Govt

‘Charming Kitten’ is a prolific APT believed to be backed by the Iranian Govt. & known by a number of other names – including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster & Phosphorus.

The group – which 1st rose to prominence in 2018 – was extremely active throughout 2020 & 2021 & is best known for targeted cyber-espionage attacks against politicians, journalists, human-rights activists, researchers, scholars & think tanks.

Some of the APT’s more high-profile attacks occurred in 2020, when the group targeted the Trump & Biden presidential campaigns as well as attendees of 2 global geo-political summits, the Munich Security Conference & the Think 20 (T20) Summit, in separate & various incidents.

New Batch of Malware

The Cybereason Nocturnus team uncovered a raft of new Charming Kitten activity when they investigated threat-intelligence efforts that “included pivoting on an IP address (162.55.136[.]20) that was already attributed to Iranian threat actors by multiple sources, including US CERT,” Frank explained.

The team took a deeper look into different files that were downloaded from the IP address & discovered a treasure trove of novel tools as well as links to Memento ransomware, he observed.

PowerShell Trojan

‘Charming Kitten’ is now using what researchers have dubbed PowerLess Backdoor, a previously undocumented PowerShell trojan that supports downloading additional payloads, such as a keylogger & an info stealer.

The team also discovered a unique new PowerShell execution process related to the backdoor aimed at slipping past security-detection products, Frank wrote.

The PowerShell code runs in the context of a .NET application, thus not launching ‘powershell.exe’ which enables it to evade security products,” he wrote.

Multi-Staged Malware

Overall, the new tools show ‘Charming Kitten’ developing more “modular, multi-staged malware” with payload-delivery aimed at “both stealth & efficacy,” Frank noted. The group also is leaning heavily on open-source tools such as cryptography libraries, weaponizing them for payloads & communication encryption, he commented.

This reliance on open-source tools demonstrates that the APT’s developers likely lack “specialisation in any specific coding language” & possess “intermediate coding skills,” Frank observed.

The Memento Connection

Cybereason Nocturnus also found that another IP that US CERT has linked to Charming Kitten,91.214.124[.]143, has been communicating with malicious files & has “unique URL directory patterns that reveal a potential connection to Memento ransomware,” Frank wrote.

“The string ‘gsdhdDdfgA5sS’ appears to be generated by the same script as the 1 listed in the Memento ransomware IOCs – “gadfTs55sghsSSS” – he explained, citing specific directory activity that researchers observed. “The domain ‘google.onedriver-srv[.]ml’ was previously resolved to the IP address 91.214.124[.]143 mentioned in the US CERT alert about Iran state-sponsored actors’ activity.”

Command & Control

Analysing this directory activity points to the IP potentially serving as a domain being used as command & control (C2) for Memento, researchers found.

This connection makes sense when noting that ‘Charming Kitten’s’ activity last year to exploit the ProxyShell vulnerability – an RCE flaw in Microsoft Exchange servers that suffered a barrage of attacks – “took place in about the same time frame as Memento,” Frank observed.

“Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor,” he revealed.

Organisations Alert

‘Charming Kitten’s’ continuous evolution of its capabilities has been well-documented, so its new tools & potential to expand in terms of the type of attacks it can deliver should come as no surprise.

Indeed, threat groups in general are like any legitimate businesses because they must evolve constantly to meet business objectives, especially when old tactics become obsolete or authorities become aware, noted a security professional.

New Tactics

“Cyber-criminals, like any business, work to evolve their software to improve, evolve & scale to bring about the best results needed to be successful,” observed James McQuiggan, Security Awareness Advocate at KnowBe4.

In the same way, organisations need to constantly be alert & create “a strong security culture” so they aren’t caught unawares by new tactics used by APTs like ‘Charming Kitten’ & other highly organised threat groups, he concluded.

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds