Iran-based Charming Kitten APT has been observed using a new backdoor named PowerLess, along with several other tools. This is a PowerShell-based implant that comes with evasive PowerShell execution.
New additions to the arsenal
The PowerLess backdoor can download and run supplemental modules such as keylogger and infostealer. The backdoor uses the PowerShell code that runs in a DotNET app. Due to this, it does not launch powershell[.]exe, which allows bypass of security solutions.
Along with the backdoor, the attacker’s toolset comes with extremely modular, multi-staged malware that solves and deploys additional payloads in various stages for stealth and intended results. For example, the inventor behind the PowerLess backdoor has linked with other tools such as an audio recorder, a variant of the information stealer, and an incomplete ransomware variant coded in DotNET.
New relations have emerged.
Charming Kitten and the new ransomware known as Memento was found to have infrastructural overlaps, claimed experts. Memento was spotted first on November 2021. Moreover, the activity of Charming Kitten with ProxyShell happened about the same time as Memento. All facts support the hypothesis that the ransomware Memento was managed by an Iranian threat actor.
The recent attacks by Charming Kitten show its growing capability and resources to formulate new tools such as PowerLess. To stay secured organizations, should share intelligence, deploy a network firewall, and install an anti-malware solution.