A modern determined cyber threat group known as APT35 or Charming Kitten has updated their malware toolset and has included a new PowerShell based implant called PowerLess backdoor. The backdoor is capable of downloading a browser info stealer and a keylogger. Further, PowerLess backdoor encrypt, decrypt data, execute arbitrary commands and even kill process.
The new malware is modular and multi-staged, and the group also employs a variety of open-source technologies for both stealth and efficacy. Powershell.exe is not launched since PowerLess runs in a .NET context but PowerShell logs are still saved. If the C2 server sends an instruction to kill a process, a PowerShell process is created.
How it works
Researchers stumbled upon a file named WindowsProcesses.exe while examining different files that were downloaded from the IP address (18.104.22.168) associated with this malware. The only purpose of WindowsProcesses.exe is to resolve relevant DLLs and load another file from the %windir%Temp path named dll.dll
The file dll.dll is executed once the relevant DLLs which are mostly related to .NET runtime libraries and API calls are resolved. Dll.dll is a .NET AES decryptor that uses a hardcoded key to decode another file named upc to execute PowerShell code from the decrypted object. Multiple encryption layers are present in the upc, which are all decrypted in phases utilizing base64 and AES ECB decryption.
The keys being used for decryption are:
An intermediate stage occurs before decrypting the PowerShell backdoor, in which the victim”s system is allocated a unique identification, which is relayed to the C2, which downloads an additional configuration. The PowerLess backdoor is launched when all the AES encrypted layers have been decrypted.
To date, no patch for this vulnerability has been published, however, users are advised to follow the steps below: