Iranian APT Group Charming Kitten Updates Powerstar BackdoorAttackers Updating Malware to Conduct Espionage by Distributing Phishing Links
An Iranian government-backed hacking group known as Charming Kitten has updated its malware arsenal to include an updated version of the Powerstar backdoor, also known as CharmPower.
Researchers at cybersecurity firm Volexity described how the latest malware variant is complex and is likely supported by a custom server-side component that automates simpler actions for the Powerstar backdoor operator.
The latest iteration of the malware is taking advantage of a distributed file protocol to deploy customized phishing links.
The malware comes with features such as the use of the InterPlanetary File System, and it remotely hosts its decryption function and configuration details on publicly accessible cloud hosts.
In April, Microsoft tracked a group newly designated as Mint Sandstorm using an implant dubbed CharmPower that was being delivered through spear-phishing campaigns targeting individuals with ties to the security community and affiliated with think tanks or universities in Israel, North America and Europe.
Charming Kitten is also known as Phosphorus, TA453, APT35, Cobalt Illusion, ITG18 and Yellow Garuda. The group has spied on journalists and activists since at least 2013.
Researchers said attackers are impersonating a reporter of an Israeli media organization in order to send the target an email with a malicious attachment. The phishing email urges the target to review a document related to U.S. foreign policy.
Once the potential victim agrees, to further gain the target's confidence, Charming Kitten sends another benign email containing a list of questions, to which the target then responds with answers.
After a few days, upon gaining the target's trust, the operators of Charming Kitten send a draft.
"This draft is a password-protected RAR file containing a malicious LNK file. The password for the RAR file was provided in a subsequent email."
The malware limits the risk of being exposed by analysis and detection by delivering the decryption method separately from the initial code and never writing it to disk.
"This has the added bonus of acting as an operational guardrail, as decoupling the decryption method from its command-and-control server prevents future successful decryption of the corresponding POWERSTAR payload," the researchers said.
The researchers found the malware is used to take screenshots and upload them to the attacker-controlled C2 server, identify running antivirus software, establish persistence for the IPFS variant of Powerstar via a Registry Run key, collect system information and ultimately delete its proof of existence using the cleanup module.
IPFS works as a peer-to-peer network of nodes that each store shards of files that are reachable through a unique fingerprint its designers dub a "content identifier." The idea is to store and retrieve files via their content identifier rather than their location on a remote server.
Protocol inventor Juan Benet described it in a white paper as being analogous to "a single BitTorrent swarm, exchanging objects within one Git repository."
"The use of cloud-hosting providers to host both malware code and phishing content is a continued theme from Charming Kitten," the researchers said. "The references to persistence mechanisms and executable payloads within the Powerstar Cleanup module strongly suggests a broader set of tools used by Charming Kitten to conduct malware-enabled espionage."