Ref# AL2022_07 | Date: Feb 4th 2022

---

Description

A modern determined cyber threat group known as APT35 or Charming Kitten has updated their malware toolset and has included a new PowerShell based implant called PowerLess backdoor. The backdoor is capable of downloading a browser info stealer and a keylogger. Further, PowerLess backdoor encrypt, decrypt data, execute arbitrary commands and even kill process.

Summary

The new malware is modular and multi-staged, and the group also employs a variety of open-source technologies for both stealth and efficacy. Powershell.exe is not launched since PowerLess runs in a .NET context but PowerShell logs are still saved. If the C2 server sends an instruction to kill a process, a PowerShell process is created.

How it works

Researchers stumbled upon a file named WindowsProcesses.exe while examining different files that were downloaded from the IP address (162.55.136.20) associated with this malware. The only purpose of WindowsProcesses.exe is to resolve relevant DLLs and load another file from the %windir%Temp path named dll.dll

The file dll.dll is executed once the relevant DLLs which are mostly related to .NET runtime libraries and API calls are resolved. Dll.dll is a .NET AES decryptor that uses a hardcoded key to decode another file named upc to execute PowerShell code from the decrypted object. Multiple encryption layers are present in the upc, which are all decrypted in phases utilizing base64 and AES ECB decryption.

The keys being used for decryption are:

• ()*&3dCfabE2/123
• 0123654789mkiujn
• 25sL(*14@#SDFcgd

An intermediate stage occurs before decrypting the PowerShell backdoor, in which the victim”s system is allocated a unique identification, which is relayed to the C2, which downloads an additional configuration. The PowerLess backdoor is launched when all the AES encrypted layers have been decrypted.

Remediation

To date, no patch for this vulnerability has been published, however, users are advised to follow the steps below:

• Delete any malware-related programs and files, as well as the malware persistence mechanism, manually. This can be accomplished by running a signature-based detection, which is one of the most frequent methods for dealing with software risks. Once a match is found, the file is classified as a threat and is prevented from acting further.
• Ensure all malicious files have been removed from the compromised system, by executing a memory scanner.
• Examine all access points, check security system settings, and make sure all software tools are updated to the latest version. These checks aid in the detection of outdated firmware, which should be upgraded if found. Checking to evaluate if the security system was set up correctly based on network usage.
• The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks.pdf

References

• Lakshmanan, Ravie. (01st February 2022). Iranian Hackers Using New PowerShell Backdoor in Cyber Espionage Attacks. Retrieved from The Hacker News: https://thehackernews.com/2022/02/iranian-hackers-using-new-powershell.html
   
• Frank, Daniel. (01st February 2022). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved from Cybereason: https://www.cybereason.com/blog/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage
   
• Townsend, Kevin. (01st February 2022). Iranian Hackers Using New PowerShell Backdoor Linked to Memento Ransomware. Retrieved from SecurityWeek: https://www.securityweek.com/iranian-hackers-using-new-powershell-backdoor-linked-memento-ransomware