POWERSTAR Backdoor
The Charming Kitten, a state-sponsored group linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has been identified as the perpetrator behind another targeted spear-phishing campaign. This campaign involves the distribution of an updated variant of a comprehensive PowerShell backdoor known as POWERSTAR.
This latest version of POWERSTAR has been enhanced with improved operational security measures, making it considerably more challenging for security analysts and intelligence agencies to analyze and gather information about the malware. These security measures are designed to thwart detection and hinder efforts to understand the inner workings of the backdoor.
Table of Contents
The Charming Kitten Cybercriminals Rely Heavily on Social Engineering Tactics
The Charming Kitten threat actors, also known by various other names such as APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda, have demonstrated expertise in leveraging social engineering techniques to deceive their targets. They employ sophisticated tactics, including the creation of custom fake personas on social media platforms and engaging in prolonged conversations to establish trust and rapport. Once a relationship is established, they strategically send malicious links to their victims.
In addition to its social engineering prowess, the Charming Kitten has expanded its arsenal of intrusion techniques. Recent attacks orchestrated by the group have involved the deployment of other implants, such as PowerLess and BellaCiao. This indicates that the threat actor possesses a diverse range of espionage tools, utilizing them strategically to achieve their strategic objectives. This versatility allows the Charming Kitten to adapt their tactics and techniques according to the specific circumstances of each operation.
POWERSTAR Backdoor Infection Vectors are Evolving
In the May 2023 attack campaign, the Charming Kitten employed a clever strategy to enhance the effectiveness of the POWERSTAR malware. To mitigate the risk of exposing their bad code to analysis and detection, they implemented a two-step process. Initially, a password-protected RAR file containing an LNK file is utilized to initiate the download of the backdoor from Backblaze. This approach served to obfuscate their intentions and impede analysis efforts.
According to researchers, the Charming Kitten intentionally separated the decryption method from the initial code and avoided writing it to disk. By doing so, they added an extra layer of operational security. The decoupling of the decryption method from the Command-and-Control (C2) server serves as a safeguard against future attempts to decrypt the corresponding POWERSTAR payload. This tactic effectively prevents adversaries from accessing the full functionality of the malware and limits the potential for successful decryption outside of Charming Kitten's control.
POWERSTAR Carries a Wide Range of Threatening Functions
The POWERSTAR backdoor boasts an extensive range of capabilities that empower it to conduct remote execution of PowerShell and C# commands. Additionally, it facilitates the establishment of persistence, collects vital system information, and enables the download and execution of additional modules. These modules serve various purposes, such as enumerating running processes, capturing screenshots, searching for files with specific extensions, and monitoring the integrity of persistence components.
Furthermore, the cleanup module has undergone significant improvements and expansions compared to previous versions. This module is specifically designed to eliminate all traces of the malware's presence and eradicate registry keys associated with persistence. These enhancements demonstrate Charming Kitten's ongoing commitment to refining its techniques and evading detection.
Researchers also have observed a different variant of POWERSTAR that employs a distinct approach to retrieve a hard-coded C2 server. This variant achieves this by decoding a file stored on the decentralized InterPlanetary Filesystem (IPFS). By leveraging this method, the Charming Kitten aims to bolster the resilience of its attack infrastructure and enhance its ability to evade detection and mitigation measures.